Multiple Vulnerabilities in Palo Alto PAN-OS Could Allow for Session Fixation Attacks
MS-ISAC ADVISORY NUMBER:2020-067
Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue using maliciously crafted URI. The attacker uses email or other means to distribute the malicious URI and entices an unsuspecting user to follow it hijacking the user session ID. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.
There is currently no reports of these vulnerabilities being exploited in the wild.
- PAN-OS 7.1, 8.0, 8.1 prior to 8.1.14
- PAN-OS versions 9.0 prior to 9.0.8
- Large and medium government entities: HIGH
- Small government entities: N/A
- Large and medium business entities: HIGH
- Small business entities: HIGH
Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. Details of the vulnerabilities are as follows:
- CVE-2020-1993: GlobalProtect Portal PHP session fixation vulnerability
- CVE-2020-2006: Buffer overflow in management server payload parser
- CVE-2020-1998: Improper SAML SSO authorization of shared local users
- CVE-2020-2012: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
- CVE-2020-2007: OS command injection in management server
- CVE-2020-1997: GlobalProtect registration open redirect
- CVE-2020-1994: Predictable temporary file vulnerability
- CVE-2020-1996: Panorama management server log injection
- CVE-2020-2011: Panorama registration denial of service
- CVE-2020-2009: Panorama SD WAN arbitrary file creation
Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.
We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Palo Alto to vulnerable systems immediately after appropriate testing.
- Block external access at the network boundary, unless external parties require service.
- If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
- To reduce the impact of latent vulnerabilities, always run non administrative software as an unprivileged user with minimal access rights.
- Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.
- Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.