CVE-2024-3387
5.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | PAN-OS | 9.0.0 | unaffected |
| Palo Alto Networks | PAN-OS | 9.1.0 | unaffected |
| Palo Alto Networks | PAN-OS | 10.1.0 < 10.1.12 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.7-h3 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.8 | affected |
| Palo Alto Networks | PAN-OS | 11.0.0 < 11.0.4 | affected |
| Palo Alto Networks | PAN-OS | 11.1.0 | unaffected |
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | Prisma Access | All | unaffected |
Weaknesses
- CWE-326: CWE-326 Inadequate Encryption Strength
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.