Palo Alto Networks Security Advisories /CVE-2024-3596CVE-2024-3596 PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege EscalationUrgencyMODERATEResponse EffortMODERATERecoveryAUTOMATICValue DensityCONCENTRATEDAttack VectorNETWORKAttack ComplexityHIGHAttack RequirementsPRESENTAutomatableNOUser InteractionPASSIVEProduct ConfidentialityNONEProduct IntegrityNONEProduct AvailabilityNONEPrivileges RequiredNONESubsequent ConfidentialityHIGHSubsequent IntegrityHIGHSubsequent AvailabilityNONENVDJSON Published2024-07-10 Updated2024-07-10ReferencePAN-247511DiscoveredexternallyDescriptionThis vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.CHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.For additional information regarding this vulnerability, please see https://blastradius.fail.Product StatusVersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.2NoneAllPAN-OS 11.1< 11.1.3>= 11.1.3PAN-OS 11.0< 11.0.4-h4>= 11.0.4-h4PAN-OS 10.2< 10.2.10>= 10.2.10PAN-OS 10.1< 10.1.14>= 10.1.14PAN-OS 9.1< 9.1.19>= 9.1.19Prisma Access AllNone (Fix ETA: July 30)Required Configuration for ExposureTo be vulnerable, Palo Alto Networks PAN-OS firewalls must be configured to use CHAP or PAP as the authentication protocol for a RADIUS server. Note that PAP differs from EAP-TTLS with PAP, which is not vulnerable to this attack.Severity:MEDIUMCVSSv4.0Base Score:5.3 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue.Weakness TypeCWE-290 Authentication Bypass by SpoofingSolutionThe best way to address this issue is by using encrypted and authenticated channels that offer modern cryptographic security guarantees.Configure an alternate authentication mechanism if you are using RADIUS with a CHAP or PAP authentication protocol. PAN-OS provides the following alternate RADIUS authentication mechanisms: PEAP-MSCHAPv2 (default), PEAP with GTC, and EAP-TTLS with PAP. For more information, please see https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-radius-authentication.In addition, instead of using RADIUS, you can configure an alternate authentication mechanism using one of the options described here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication.If you are a Prisma Access customer using a RADIUS configuration with PAP or CHAP in your profile and have not applied one of the changes described above, you will be contacted to schedule an upgrade window.PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3, and all later PAN-OS versions add a new feature to enforce an authentication check in RADIUS. This new feature is disabled by default to match the existing behavior. To enable this feature, run the following commands: set auth radius-require-msg-authentic yesTo confirm that the setting was correctly enabled, run the following command: show auth radius-require-msg-authenticIf set correctly, the response will say "yes". This setting is persistent across reboots. No ‘commit’ is required for this to take effect.AcknowledgmentsPalo Alto Networks thanks Sharon Goldberg, Miro HAller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl for discovering and reporting this issue.Timeline2024-07-10Initial publication
