Palo Alto Networks Security Advisories /PAN-SA-2025-0003PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security BulletinInformationalJSONCSAF Published2025-01-23 Updated2025-01-23DescriptionPalo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls. It is not possible for malicious actors or PAN-OS administrators to exploit these vulnerabilities under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines. Users and administrators do not have access to the BIOS firmware or permissions to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit these vulnerabilities. These vulnerabilities themselves do not allow an attacker to compromise the PAN-OS software on the firewall.None of the concerns are applicable to PAN-OS CN-Series, PAN-OS VM-Series, Cloud NGFW and Prisma Access.CVESummaryCVE-2020-10713The BootHole vulnerability may allow an attacker to hijack and tamper the GRUB verification process. It is not possible for malicious actors or PAN-OS administrators to exploit this vulnerability under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines.CVE-2021-33627Insyde InsydeH2O Kernel do not check address of a buffer is valid. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3500 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected.CVE-2021-42060Privilege escalation in InsydeH2O Kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3500 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected.CVE-2021-42554Memory corruption in Insyde InsydeH2O with Kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3500 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected.CVE-2021-43323Privilege escalation in UsbCoreDxe in Insyde InsydeH2O with kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3500 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected.CVE-2021-45970Insufficient validation of the allocated buffer pointer in IdeBusDxe in Insyde InsydeH2O with kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3500 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected.CVE-2022-24030Memory corruption in AhciBusDxe in Insyde InsydeH2O with kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3500 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected.CVE-2023-40238Also known as LogoFail, some BIOS are susceptible to malicious logo images written to the BIOS’s filesystem. PAN-OS is not affected as the conditions required to exploit this vulnerability do not exist in PAN-OS.CVE-2023-1017An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end. This issue is not applicable to any of our products.CVE-2023-45229PixieFAIL: EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45230PixieFAIL: EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45231PixieFAIL: EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect messages. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45232PixieFAIL: EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45233PixieFAIL: EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing a PadN option in the Destination Options header of IPv6. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45234PixieFAIL: EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45235PixieFAIL: EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. Our products are unaffected since the BIOS network stack is disabled.CVE-2023-45236PixieFAIL: EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. PAN-OS is not affected as the conditions required to exploit this vulnerability do not exist in PAN-OS.CVE-2023-45237PixieFAIL: EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. PAN-OS is not affected as the conditions required to exploit this vulnerability do not exist in PAN-OS.Insecure Flash Access Control VulnerabilityMisconfigured or missing SPI flash access controls could permit an attacker to write to UEFI. This requires physical access to the system and tampering hardware. Conditions to exploit this vulnerability do not exist in PAN-OS. We recommend restricting physical access to the firewalls as a best practice.Intel Bootguard Leaked Keys BypassIntel Bootguard had private keys leaked that they have concluded are pre-production or test keys.These keys are not used in any of the BIOS firmware used in Palo Alto Networks firewalls. This issue does not affect PAN-OS.Product StatusVersionsAffectedUnaffectedCloud NGFWNoneAllPAN-OS CN-SeriesNoneAllPAN-OS PA-Series As listed in the CVE table aboveAll others not listed in the CVE table abovePAN-OS VM-SeriesNoneAllPrisma AccessNoneAllRequired Configuration for ExposureSome of these vulnerabilities are exploitable only when an attacker has already compromised the PAN-OS software and gained root Linux privileges on the system or privileged access to the management networks or physical access to open the device. This is not possible under normal conditions on PAN-OS versions that are up-to-date and deployed according to best practices.Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.SolutionWhile the conditions required to exploit these vulnerabilities are not available to users protected by PAN-OS or administrators of PAN-OS software, we are working with the third-party vendors to develop any firmware updates that may be needed. We will provide further updates and guidance as they become available.Workarounds and MitigationsThese vulnerabilities require an attacker to compromise PAN-OS software before they can successfully exploit it. The risk of exploitation on PAN-OS software is reduced by upgrading your appliances to the latest versions.Additionally secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.Timeline2025-01-23Initial publication
