Attack Chain

1. The attacker identifies a vulnerable PAN-OS firewall with the Authentication Portal service enabled.
2. The attacker crafts a malicious network packet specifically designed to exploit the vulnerability in the Authentication Portal service.
3. The attacker sends the specially crafted packet to the targeted firewall on the port used by the Authentication Portal service (typically TCP port 443).
4. The vulnerable code within the Authentication Portal service fails to properly handle the malicious packet.
5. This leads to a buffer overflow or other memory corruption error.
6. The attacker leverages this memory corruption to inject and execute arbitrary code.
7. The injected code executes with root privileges due to the elevated permissions of the Authentication Portal service.
8. The attacker gains complete control over the firewall and can perform actions such as modifying firewall rules, accessing sensitive data, or pivoting to other internal networks.

Impact

Successful exploitation of this vulnerability grants an unauthenticated attacker complete control over the affected Palo Alto Networks firewalls. This can lead to a complete compromise of the network perimeter, allowing attackers to bypass security controls, exfiltrate sensitive data, or launch further attacks against internal systems. The root-level access obtained enables attackers to disable security features, modify configurations, and potentially use the compromised firewall as a persistent backdoor.

Recommendation

• Apply the security patches released by Palo Alto Networks immediately to all affected PA-Series and VM-Series firewalls running PAN-OS to remediate the vulnerability.
• Monitor network traffic for suspicious packets targeting the Authentication Portal service on PAN-OS firewalls, using a network intrusion detection system (NIDS).
• Deploy the Sigma rule “Detect PAN-OS Authentication Portal Exploitation Attempt” to detect malicious packets attempting to exploit the vulnerability.