Palo Alto Networks Security Advisories /CVE-2024-3383CVE-2024-3383 PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE)UrgencyMODERATEResponse EffortLOWRecoveryUSERValue DensityDIFFUSEAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsPRESENTAutomatableYESUser InteractionNONEProduct ConfidentialityNONEProduct IntegrityHIGHProduct AvailabilityHIGHPrivileges RequiredNONESubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-04-10 Updated2024-04-10ReferencePAN-211764 andPAN-218522Discoveredin production useDescriptionA vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.Product StatusVersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0< 11.0.3>= 11.0.3PAN-OS 10.2< 10.2.5>= 10.2.5PAN-OS 10.1< 10.1.11>= 10.1.11PAN-OS 9.1NoneAllPAN-OS 9.0NoneAllPrisma Access NoneAllRequired Configuration for ExposureThis issue applies only to PAN-OS firewall configurations with Cloud Identity Engine (CIE) enabled. You should verify whether CIE is configured on your firewall web interface (Device > User Identification > Cloud Identity Engine).Severity:HIGHCVSSv4.0Base Score:8.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-282: Improper Ownership ManagementSolutionThis issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.AcknowledgmentsPalo Alto Networks thanks Rodgers Moore, CCIE# 8153 of Insight.com, for discovering and reporting this issue.Timeline2024-04-10Initial publication
