Palo Alto Networks Security Advisory (PAN-SA-2015-0006)

Posted: 26/10/2015

API key automatic revocation

Summary

An issue has been identified in PAN-OS that prevents old management API keys from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating a new API key, but the old API key is still valid until device reboot.

Severity: Medium

This issue affects the management interface of the device. Network security best practices suggest administering security devices from an out-of-band network, reducing the exposed attack surface.

Products Affected

PAN-OS versions prior to PAN-OS 7.0.2 and PAN-OS 6.1.7

Available Updates

PAN-OS 7.0.2 PAN-OS 6.1.7

Workarounds and Mitigations

Administrators are advised to upgrade to PAN-OS 7.0.2 or 6.1.7 to correct the issue. As a mitigation, administrators may restart the management server of the device after administrator account password changes.

Keep up to date with the latest news

We will be keeping up to date with all the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter