Palo Alto 安全中心 04月10日 00:21
CVE-2025-0128 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM)
index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

 

Palo Alto Networks PAN-OS软件中的一个拒绝服务 (DoS) 漏洞,允许未经身份验证的攻击者通过恶意构造的数据包发起系统重启。重复尝试会导致防火墙进入维护模式。受影响版本包括PAN-OS 11.0、10.0、9.1和9.0及更早版本,而Cloud NGFW和Prisma Access不受此漏洞影响。建议用户升级到修复版本或在重启前禁用SCEP以缓解风险。

🚨该漏洞存在于Palo Alto Networks PAN-OS软件的简单证书注册协议(SCEP)身份验证功能中,允许未经验证的攻击者通过精心构造的数据包触发系统重启。

⚠️重复利用此漏洞会导致防火墙进入维护模式,从而中断正常服务。需要注意的是,即使您没有明确配置SCEP,也可能受到此漏洞的影响。

🛡️Cloud NGFW和Prisma Access软件不受此漏洞影响。对于受影响的PAN-OS版本,Palo Alto Networks建议升级到修复版本,或者如果未使用SCEP,可以通过CLI命令临时禁用SCEP来缓解风险,但此方法仅在下次重启前有效。

A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.

Cloud NGFW is not affected by this vulnerability. Prisma® Access software is proactively patched and protected from this issue.

PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and earlier PAN-OS versions have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities so we do not plan to fix this issue in these EoL versions. You should presume that these versions are affected.

NOTE: You do not need to have explicitly configured SCEP on your firewall to be at risk. Firewalls for which you do not apply the explicit mitigation for this issue are affected.

Palo Alto Networks is not aware of any malicious exploitation of this issue.

PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade to a fixed supported version.

We proactively initiated the upgrade through Prisma Access March 21, 2025, to cover all tenants.

If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI):

CAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected.

cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h32:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h31:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h30:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h29:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h28:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h27:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h26:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h25:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h24:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h23:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h22:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h21:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*

Fish AI Reader

Fish AI Reader

AI辅助创作,多种专业模板,深度分析,高质量内容生成。从观点提取到深度思考,FishAI为您提供全方位的创作支持。新版本引入自定义参数,让您的创作更加个性化和精准。

FishAI

FishAI

鱼阅,AI 时代的下一个智能信息助手,助你摆脱信息焦虑

联系邮箱 441953276@qq.com

相关标签

Palo Alto Networks PAN-OS 安全漏洞 DoS攻击
相关文章
F5 管理器现漏洞,能让攻击者开设账户并长期潜伏
Keyboard logging flaw affected nearly a billion users
蕴藏危机,Cinterion 蜂窝调制解调器存在高危安全漏洞
Palo Alto Networks將收購IBM QRadar SaaS資產,與IBM建立廣泛的合作關係
多模态大语言模型的致命漏洞:语音攻击
Two students uncovered a flaw that allows to use laundry machines for free