Palo Alto Networks Security Advisory (PAN-SA-2015-0006)
API key automatic revocation
An issue has been identified in PAN-OS that prevents old management API keys from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating a new API key, but the old API key is still valid until device reboot.
This issue affects the management interface of the device. Network security best practices suggest administering security devices from an out-of-band network, reducing the exposed attack surface.
PAN-OS versions prior to PAN-OS 7.0.2 and PAN-OS 6.1.7
PAN-OS 7.0.2 PAN-OS 6.1.7
Workarounds and Mitigations
Administrators are advised to upgrade to PAN-OS 7.0.2 or 6.1.7 to correct the issue. As a mitigation, administrators may restart the management server of the device after administrator account password changes.
Keep up to date with the latest news
We will be keeping up to date with all the latest information and updates, so please get in touch with any questions or concerns at firstname.lastname@example.org
To keep up to date with what we know, follow us on Twitter