[R2] Palo Alto Networks Panorama VM Appliance PAN-OS Firmware Signature Verification Bypass Arbitrary Code Execution

Palo Alto Networks Panorama VM Appliance, running PAN-OS version 6.0 contains a flaw related to the processing of new firmware. During the installation of the firmware, the system will execute python code within an image file before verifying the signature of the of the file. A portion of the vulnerable code:

# Read out the image header
f = open(secimage, 'rb')
hdr = f.read(256)
hdr = f.read(3584)
f.close()
try:
hdr = struct.unpack('3584s', hdr)[0].split('\0')[0]
Try and ensure a dictionary before running eval on it
if hdr[0] == ' {' and hdr[-1] == '}
':
self.imginfo.update(eval(hdr))
except: pass

Exploitation of this issue would require tricking an administrator to install a file from a malicious source (e.g. social engineering, hosting on a phishing site, man-in-the-middle a legitimate download). If the device has an auto-update mechanism for firmware, a man-in-the-middle attack would be more feasible.

Note that other Palo Alto devices and technology may contain the same flaw, but were not tested.