-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0111
               A vulnerability has been identified in PAN-OS
                             29 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Palo Alto Networks web management server
Operating System:     PAN-OS
                      Network Appliance
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-9150  
Member content until: Thursday, December 29 2016

OVERVIEW

        A vulnerability has been identified in PAN-OS prior to versions 
        5.0.20, 5.1.13, 6.0.15, 6.1.15, 7.0.11 and 7.1.6. [1]


IMPACT

        The vendor has provided the following details regarding the issues:
        
        CVE-2016-9150:
        
        "Severity: Critical
        
        An attacker with network access to the management web interface may
        be able to perform a remote code execution (RCE) or 
        denial-of-service (DoS)." [1]


MITIGATION

        The vendor recommends upgrading to the latest versions to address 
        this issue. [1]
        
        Additionally, the vendors recommends the following best practices to
        mitigate the issue:
        
        "Palo Alto Networks recommends to implement best practice by 
        allowing web interface access only to a dedicated management 
        network. Additionally, restrict the set of IP addresses to a subset
        of authorized sources that you allow to interact with the management
        network." [1]


REFERENCES

        [1] Buffer Overflow in the Management Web Interface (PAN-SA-2016-0035)
            https://securityadvisories.paloaltonetworks.com/Home/Detail/68

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWDzb7Ix+lLeg9Ub1AQj+9g/7BbrXUro/DP408z993VXf1gOL5LZDYDGb
YCiprekGrMubLrVngZz5rdnaBkzzaX/EzG8JHSLbZhAjOn3GxDQwdun5IcCgAxVu
wUO2llnJzg1nkbfVIFDzHf8xOX7nMUa0mCDE3QPPIqmVzmM5uyLOVUyDWhv8CayT
NuyIlVgsZ7BsENit3rH/kohme4mY+gkrXc7U7dFBIr0vin//mT+RcAHfZ6F75UHY
SF4VO3dCqnniNVJnLIjUhuFTS5wRsTqNI8fYekluAqSLwdf7t6W6F9RQhsNPC1C7
d/XQvCFaQA6gPwH9NY3pFctTzolKAt9SXmasnig1X+vIM1TwzUX9YDDY1XdC6tdc
8kjiFAM1FNzNa4B93pnhqJMPx8mEISF6tHySqrnelCwvRBbKRCiz9OdlUbP5j5Be
ZyoW4B08pmkUS7zwm/s1y0AfjJ4eg64l26NleVDWaKcyPlbaaxO1b2cSFqun2Isp
RIgk4HfGWXKTHBVOs5oNypmFvuEh292GTijF6LFZmNq2WIrNVPg07wgu3RmK2EQi
tv4eMVMviDDwHOAtET/fMZKXcfb8UjHmu+TDm2aIdbC13HFB18C70tki/9UmNQ29
vq4AoXQSyMGhmw6gIeEcQa8wZwYoVt6Pc2YeSKzYyiJ5XKFpNYe0m2D0Cehrn4gl
B6gZsBFcKj4=
=a6Tn
-----END PGP SIGNATURE-----