CVE-2023-38046: 
PAN-OS vulnerability analysis and mitigation

A vulnerability exists in Palo Alto Networks PAN-OS software (CVE-2023-38046) that enables an authenticated administrator with the privilege to commit a specifically created configuration to read local files and resources from the system. The vulnerability was discovered by Kajetan Rostojek and disclosed on July 12, 2023. The affected versions include PAN-OS 11.0 versions before 11.0.1 and PAN-OS 10.2 versions before 10.2.4 (Palo Advisory).

The vulnerability is classified as CWE-610 (Externally Controlled Reference to a Resource in Another Sphere). It has received a CVSS v3.1 base score of 5.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N. The vulnerability requires network access (AV:N), has low attack complexity (AC:L), requires high privileges (PR:H), needs no user interaction (UI:N), has unchanged scope (S:U), with high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N) (Palo Advisory, NVD).

The vulnerability allows an authenticated administrator to read local files and resources from the system, potentially exposing sensitive system information. The impact is primarily focused on confidentiality with high impact, while having a low impact on system integrity and no impact on availability (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 10.2.4, 11.0.1, and all later PAN-OS versions. As a mitigation measure, organizations are advised to follow best practices for securing PAN-OS administrative access. Detailed guidance can be found in the PAN-OS technical documentation for Best Practices for Securing Administrative Access (Palo Advisory).