CVE-2024-3383 - Vulnerability Details - OpenCVE

A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Paloaltonetworks	Pan-os

Configuration 1 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::

No data.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2024-3383

History

Fri, 24 Jan 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Paloaltonetworks Paloaltonetworks pan-os
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:o:paloaltonetworks:pan-os::::::::
Vendors & Products		Paloaltonetworks Paloaltonetworks pan-os

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2024-04-10T17:06:15.823Z

Updated: 2024-08-09T20:22:18.991Z

Reserved: 2024-04-05T17:40:16.359Z

Link: CVE-2024-3383

Vulnrichment

Updated: 2024-08-01T20:12:06.566Z

NVD

Status : Analyzed

Published: 2024-04-10T17:15:57.000

Modified: 2025-01-24T15:29:26.313

Link: CVE-2024-3383

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3383", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2024-04-05T17:40:16.359Z", "datePublished": "2024-04-10T17:06:15.823Z", "dateUpdated": "2024-08-09T20:22:18.991Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "11.1.0"}, {"changes": [{"at": "11.0.3", "status": "unaffected"}], "lessThan": "11.0.3", "status": "affected", "version": "11.0.0", "versionType": "custom"}, {"changes": [{"at": "10.2.5", "status": "unaffected"}], "lessThan": "10.2.5", "status": "affected", "version": "10.2.0", "versionType": "custom"}, {"changes": [{"at": "10.1.11", "status": "unaffected"}], "lessThan": "10.1.11", "status": "affected", "version": "10.1.0", "versionType": "custom"}, {"status": "unaffected", "version": "9.1.0"}, {"status": "unaffected", "version": "9.0.0"}]}, {"defaultStatus": "unaffected", "product": "Cloud NGFW", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "Prisma Access", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue applies only to PAN-OS firewall configurations with Cloud Identity Engine (CIE) enabled. You should verify whether CIE is configured on your firewall web interface (Device > User Identification > Cloud Identity Engine)."}], "value": "This issue applies only to PAN-OS firewall configurations with Cloud Identity Engine (CIE) enabled. You should verify whether CIE is configured on your firewall web interface (Device > User Identification > Cloud Identity Engine)."}], "credits": [{"lang": "en", "type": "finder", "value": "Palo Alto Networks thanks Rodgers Moore, CCIE# 8153 of Insight.com, for discovering and reporting this issue."}], "datePublic": "2024-04-10T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules."}], "value": "A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.<br>"}], "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\n"}], "impacts": [{"capecId": "CAPEC-271", "descriptions": [{"lang": "en", "value": "CAPEC-271 Schema Poisoning"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-282", "description": "CWE-282: Improper Ownership Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2024-04-10T17:06:15.823Z"}, "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-3383"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.<br>"}], "value": "This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.\n"}], "source": {"defect": ["PAN-211764", "PAN-218522"], "discovery": "USER"}, "timeline": [{"lang": "en", "time": "2024-04-10T16:00:00.000Z", "value": "Initial publication"}], "title": "PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:06.566Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-3383", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-09T20:22:10.488052Z", "id": "CVE-2024-3383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T20:22:18.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-3383", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:06.566Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-09T20:22:10.488052Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T20:22:14.939Z"}}], "cna": {"title": "PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE)", "source": {"defect": ["PAN-211764", "PAN-218522"], "discovery": "USER"}, "credits": [{"lang": "en", "type": "finder", "value": "Palo Alto Networks thanks Rodgers Moore, CCIE# 8153 of Insight.com, for discovering and reporting this issue."}], "impacts": [{"capecId": "CAPEC-271", "descriptions": [{"lang": "en", "value": "CAPEC-271 Schema Poisoning"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [{"status": "unaffected", "version": "11.1.0"}, {"status": "affected", "changes": [{"at": "11.0.3", "status": "unaffected"}], "version": "11.0.0", "lessThan": "11.0.3", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.2.5", "status": "unaffected"}], "version": "10.2.0", "lessThan": "10.2.5", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.1.11", "status": "unaffected"}], "version": "10.1.0", "lessThan": "10.1.11", "versionType": "custom"}, {"status": "unaffected", "version": "9.1.0"}, {"status": "unaffected", "version": "9.0.0"}], "defaultStatus": "unaffected"}, {"vendor": "Palo Alto Networks", "product": "Cloud NGFW", "versions": [{"status": "unaffected", "version": "All"}], "defaultStatus": "unaffected"}, {"vendor": "Palo Alto Networks", "product": "Prisma Access", "versions": [{"status": "unaffected", "version": "All"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.\n", "supportingMedia": [{"type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.<br>", "base64": false}]}], "timeline": [{"lang": "en", "time": "2024-04-10T16:00:00.000Z", "value": "Initial publication"}], "solutions": [{"lang": "en", "value": "This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.\n", "supportingMedia": [{"type": "text/html", "value": "This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.<br>", "base64": false}]}], "datePublic": "2024-04-10T16:00:00.000Z", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2024-3383"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-282", "description": "CWE-282: Improper Ownership Management"}]}], "configurations": [{"lang": "en", "value": "This issue applies only to PAN-OS firewall configurations with Cloud Identity Engine (CIE) enabled. You should verify whether CIE is configured on your firewall web interface (Device > User Identification > Cloud Identity Engine).", "supportingMedia": [{"type": "text/html", "value": "This issue applies only to PAN-OS firewall configurations with Cloud Identity Engine (CIE) enabled. You should verify whether CIE is configured on your firewall web interface (Device > User Identification > Cloud Identity Engine).", "base64": false}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2024-04-10T17:06:15.823Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3383", "state": "PUBLISHED", "dateUpdated": "2024-08-09T20:22:18.991Z", "dateReserved": "2024-04-05T17:40:16.359Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2024-04-10T17:06:15.823Z", "assignerShortName": "palo_alto"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "77695C8C-9732-4605-A160-A5159BD8B49C", "versionEndExcluding": "10.1.11", "versionStartIncluding": "10.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "831B815F-436B-40D2-AFBA-9BE7275C2BEB", "versionEndExcluding": "10.2.5", "versionStartIncluding": "10.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6B9B8A6-A4A7-4C14-9D22-50FEF531F15D", "versionEndExcluding": "11.0.3", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules."}, {"lang": "es", "value": "Una vulnerabilidad en la forma en que el software PAN-OS de Palo Alto Networks procesa los datos recibidos de los agentes de Cloud Identity Engine (CIE) permite la modificaci\u00f3n de los grupos de ID de usuario. Esto afecta el acceso de los usuarios a los recursos de la red, donde se les puede negar o permitir el acceso de manera inapropiada a los recursos seg\u00fan las reglas de la pol\u00edtica de seguridad existentes."}], "id": "CVE-2024-3383", "lastModified": "2025-01-24T15:29:26.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-10T17:15:57.000", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2024-3383"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2024-3383"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-282"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}