CVE-2021-3047

Published: Aug 11, 2021Modified: Nov 21, 2024

3.1

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 1.6 / Impact: 1.4

Source: NVD

Description

A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted.

Affected (4)

Products: Paloaltonetworks: Pan Os

Paloaltonetworks

1 product

Pan Os

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Paloaltonetworks Pan Os	From 10.0.0 to 10.0.4
Paloaltonetworks Pan Os	From 8.1.0 to 8.1.19
Paloaltonetworks Pan Os	From 9.0.0 to 9.0.14
Paloaltonetworks Pan Os	From 9.1.0 to 9.1.10

Related CWEs

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

References (2)

https://security.paloaltonetworks.com/CVE-2021-3047

Source: psirt@paloaltonetworks.com

Vendor Advisory

https://security.paloaltonetworks.com/CVE-2021-3047

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.