CVE-2024-5919: 
PAN-OS vulnerability analysis and mitigation

A blind XML External Entities (XXE) injection vulnerability was discovered in the Palo Alto Networks PAN-OS software (CVE-2024-5919). The vulnerability was disclosed on November 13, 2024, affecting multiple versions of PAN-OS software including versions prior to 10.1.10, 10.2.5, and 11.0.2. The vulnerability was discovered externally by Dan Marin of Deloitte, Cristian Mocanu of Deloitte, and Alex Hordijk (Palo Advisory).

The vulnerability is classified as a blind XML External Entities (XXE) injection vulnerability (CWE-611) with a CVSS 4.0 Base Score of 5.1 (MEDIUM) and CVSS-BT score of 1.2 (LOW). The attack requires network access to the firewall management interface and high privileges. The vulnerability is characterized by improper restriction of XML external entity references, which aligns with CAPEC-201 XML Entity Linking (Palo Advisory, NVD).

If exploited, the vulnerability enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker-controlled server. The impact is primarily focused on data confidentiality and integrity, with the CVSS metrics indicating low impact on both confidentiality and integrity, while having no impact on availability (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 10.1.10, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions. Cloud NGFW, PAN-OS 11.1, PAN-OS 11.2, and Prisma Access are not affected by this vulnerability (Palo Advisory).