CVE-2022-0022

Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration. Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. This issue does not impact Prisma Access firewalls. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; All versions of PAN-OS 9.0; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7.

CVSS v3 4.1 MEDIUM
CVSS v2.0 4.6 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://security.paloaltonetworks.com/CVE-2022-0022	Vendor Advisory
https://security.paloaltonetworks.com/CVE-2022-0022	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::

History

21 Nov 2024, 06:37

Type	Values Removed	Values Added
References	~~() https://security.paloaltonetworks.com/CVE-2022-0022 - Vendor Advisory~~	() https://security.paloaltonetworks.com/CVE-2022-0022 - Vendor Advisory
CVSS	v2 : ~~4.6~~ v3 : ~~4.4~~	v2 : 4.6 v3 : 4.1

Information

Published : 2022-03-09 18:15

Updated : 2024-11-21 06:37

NVD link : CVE-2022-0022

Mitre link : CVE-2022-0022

CVE.ORG link : CVE-2022-0022

JSON object : View

Products Affected

paloaltonetworks

pan-os

CWE

CWE-916

Use of Password Hash With Insufficient Computational Effort

{"id": "CVE-2022-0022", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@paloaltonetworks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.8}]}, "published": "2022-03-09T18:15:07.740", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2022-0022", "tags": ["Vendor Advisory"], "source": "psirt@paloaltonetworks.com"}, {"url": "https://security.paloaltonetworks.com/CVE-2022-0022", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@paloaltonetworks.com", "description": [{"lang": "en", "value": "CWE-916"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-916"}]}], "descriptions": [{"lang": "en", "value": "Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration. Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. This issue does not impact Prisma Access firewalls. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; All versions of PAN-OS 9.0; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7."}, {"lang": "es", "value": "Uso de un algoritmo criptogr\u00e1fico d\u00e9bil en el software PAN-OS de Palo Alto Networks en el que los hashes de las contrase\u00f1as de las cuentas de administrador y de usuario local no se crean con un nivel de esfuerzo computacional suficiente, lo que permite realizar ataques de descifrado de contrase\u00f1as en las cuentas en modo operativo normal (no FIPS-CC). Un atacante debe tener acceso a los hashes de las contrase\u00f1as de las cuentas para aprovechar esta debilidad y puede adquirir esos hashes si consigue acceder a la configuraci\u00f3n del software PAN-OS. Las versiones corregidas del software PAN-OS utilizan un algoritmo criptogr\u00e1fico seguro para los hashes de las contrase\u00f1as de las cuentas. Este problema no afecta a los cortafuegos Prisma Access. Este problema afecta a: Las versiones de PAN-OS 8.1 anteriores a PAN-OS 8.1.21; todas las versiones de PAN-OS 9.0; las versiones de PAN-OS 9.1 anteriores a PAN-OS 9.1.11; las versiones de PAN-OS 10.0 anteriores a PAN-OS 10.0.7"}], "lastModified": "2024-11-21T06:37:50.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "859B40E3-713E-4FB5-ACB1-0138D937E1B6", "versionEndExcluding": "8.1.21", "versionStartIncluding": "8.1.0"}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "991F1046-EED6-4D6E-B5C8-D60827E5ED5B", "versionEndIncluding": "9.0.15", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3725416F-6A77-40E2-91F3-3EDB9D6C9AC2", "versionEndExcluding": "9.1.11", "versionStartIncluding": "9.1.0"}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F183A33-114C-4A74-ACEF-51C176B3487F", "versionEndExcluding": "10.0.7", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@paloaltonetworks.com"}