CVE-2019-17440

PAN-OS on PA-7000 Series: Improper restriction of communication to Log Forwarding Card (LFC) allows root access

Description

Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured. This issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC). This issue does not affect any other PA series devices. This issue does not affect devices without an LFC. This issue does not affect PAN-OS 8.1 or prior releases. This issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted.

Remediation

Solution:

  • This issue is fixed in 9.0.5-h3 and all subsequent releases. Content update 8218-5815 also fixes the issue.

Workaround:

  • (1) Content update 8218-5815 can be applied without requiring a software update. Once the content update is installed please ensure that next PAN-OS upgrade is to a fixed version (9.0.5-h3 or later). Do not upgrade or downgrade to an affected release, as it can reintroduce the vulnerability. (2) Configure security policies to prevent network sessions destined to LFC. (3) Ensure that LFC is only connected to a secured administrative network with access restricted to trusted users. (4) Disable or disconnect LFC from the network until fixes can be applied.

Category

10.0
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.45%
Affected: Palo Alto Networks PAN-OS
Affected: Palo Alto Networks PAN-OS
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2019-17440

Frequently Asked Questions

What is the severity of CVE-2019-17440?
CVE-2019-17440 has been scored as a critical severity vulnerability.
How to fix CVE-2019-17440?
To fix CVE-2019-17440: This issue is fixed in 9.0.5-h3 and all subsequent releases. Content update 8218-5815 also fixes the issue.
Is CVE-2019-17440 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-17440 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-17440?
CVE-2019-17440 affects Palo Alto Networks PAN-OS, Palo Alto Networks PAN-OS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.