Publication Date: |
|
Last Update: |
|
Current Version: | V1.6 |
CVSS v3.1 Base Score: | 9.1 |
CVSS v4.0 Base Score: | 9.1 |
Affected Product and Versions | Remediation |
---|---|
|
Upgrade Palo Alto Networks Virtual NGFW V11.1.4-h1. Contact customer support to receive patch and update information
|
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
Please follow the General Security Recommendations.
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.
CVSS v3.1 Base Score | 5.9 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
CWE | CWE-222: Truncation of Security-relevant Information |
CVSS v3.1 Base Score | 9.0 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS v4.0 Base Score | 9.1 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H |
CWE | CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
CVSS v3.1 Base Score | 6.8 |
CVSS v3.1 Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
CVSS v4.0 Base Score | 5.4 |
CVSS v4.0 Vector | CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CWE | CWE-20: Improper Input Validation |
CVSS v3.1 Base Score | 2.4 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
CVSS v4.0 Base Score | 4.6 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
CVSS v3.1 Base Score | 5.9 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
CVSS v4.0 Base Score | 8.2 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
CWE | CWE-787: Out-of-bounds Write |
CVSS v3.1 Base Score | 4.7 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
CVSS v4.0 Base Score | 5.1 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
CWE | CWE-20: Improper Input Validation |
CVSS v3.1 Base Score | 5.9 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Base Score | 8.2 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
CWE | CWE-400: Uncontrolled Resource Consumption |
A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user. The attacker must have network access to the management web interface and successfully authenticate to exploit this issue.
CVSS v3.1 Base Score | 9.1 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVSS v4.0 Base Score | 8.6 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N |
CWE | CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') |
Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications [1]. PANW provides a public RSS feed for their security alerts to which customers can also subscribe [2].
[1] https://security.paloaltonetworks.com/?version=PAN-OS+11.1.2-h3&product=PAN-OS
[2] https://security.paloaltonetworks.com/rss.xml
V1.0 (2024-07-09): | Publication Date |
V1.1 (2024-08-13): | Added newly published CVE-2024-5913 and CVE-2024-3596 |
V1.2 (2024-10-08): | Added CVE-2023-48795, CVE-2024-3596, CVE-2024-5913 and fix version information for Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices |
V1.3 (2024-11-12): | Added newly published CVE-2024-9468 and CVE-2024-9471. Added CVSSv4.0 vector to CVE-2024-5913 |
V1.4 (2024-12-10): | Added newly published CVE-2024-5920 |
V1.5 (2025-04-08): | Added newly published CVE-2025-0114 |
V1.6 (2025-07-08): | Added newly published CVE-2025-4231 |