CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Palo Alto PAN-OS Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-130

DATE(S) ISSUED:

09/10/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for arbitrary code execution. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to disrupt system processes and potentially execute arbitrary code with root privileges.

THREAT INTELLIGENCE:

There is currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • All versions of PAN-OS 8.0
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

  • Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled (CVE-2020-2040)
  • Reflected Cross-Site Scripting (XSS) vulnerability in management web interface (CVE-2020-2036)
  • Management web interface denial-of-service (DoS) (CVE-2020-2041)
  • OS command injection vulnerability in the management web interface (CVE-2020-2037)
  • OS command injection vulnerability in the management web interface (CVE-2020-2038)
  • Buffer overflow in the management web interface (CVE-2020-2042)
  • Management web interface denial-of-service (DoS) through unauthenticated file upload (CVE-2020-2039)
  • Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs (CVE-2020-2043)
  • Passwords may be logged in clear text while storing operational command (op command) history (CVE-2020-2044)

Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Palo Alto to vulnerable systems immediately after appropriate testing.
  • Block external access at the network boundary, unless external parties require service.
  • If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
  • To reduce the impact of latent vulnerabilities, always run non administrative software as an unprivileged user with minimal access rights.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil White paper 26 Oct 2020