SB2020051401 - Multiple vulnerabilities in Palo Alto Networks PAN-OS
Published: May 14, 2020 Updated: December 19, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Session Fixation (CVE-ID: CVE-2020-1993)
The vulnerability allows a remote attacker to gain unauthorized access to the system.
The vulnerability exists due to insecure session management mechanism within the GlobalProtect Portal feature in PAN-OS. A remote non-authenticated attacker can with ability to control victim's session identifier can hijack victim's session.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-1994)
The vulnerability allows a local user to corrupt arbitrary files on the system.
The vulnerability exists due to application uses predictable filenames for temporary files. A local user with shell access to the system can corrupt arbitrary files.
3) NULL pointer dereference (CVE-ID: CVE-2020-1995)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the rasmgr daemon. A remote authenticated administrator can send a specially crafted request to the system, trigger NULL pointer dereference error and cause denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.
4) Improper Authorization (CVE-ID: CVE-2020-1996)
The vulnerability allows a remote attacker to bypass authorization and manipulate log files.
The vulnerability exists in the management server component of PAN-OS Panorama. A remote non-authenticated attacker can send a specially crafted request to the system and inject messages into the management server ms.log file.
Successful exploitation of the vulnerability may allow an attacker to obfuscate log files and hide malicious presence on the system.
5) Open redirect (CVE-ID: CVE-2020-1997)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data after successful authentication in the GlobalProtect component of Palo Alto Networks PAN-OS. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
6) Improper Authorization (CVE-ID: CVE-2020-1998)
The vulnerability allows a remote user to gain elevated privileges on the system.
The vulnerability exists within SAML SSO in PAN-OS that mistakenly uses the permissions of local Linux users
instead of the intended SAML permissions of the account when the
username is shared for the purposes of SSO authentication. A remote user can escalate privileges on the system.
7) Arbitrary file upload (CVE-ID: CVE-2020-2001)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in the Palo Alto Networks PAN-OS Panorama XSLT processing logic. A remote non-authenticated attacker can upload a malicious file and execute it on the system with administrator privileges.
8) Improper Authentication (CVE-ID: CVE-2020-2002)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users. This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator.
9) Improper access control (CVE-ID: CVE-2020-2003)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to application allows a remote user to manipulate filename during file deletion and does not check if the user has appropriate permissions to delete files. A remote user can send specially crafted request to the system and delete arbitrary files.
10) Cross-site scripting (CVE-ID: CVE-2020-2005)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Palo Alto Networks GlobalProtect Clientless VPN. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to hijack victim's VPN session.
11) Buffer overflow (CVE-ID: CVE-2020-2006)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in management server payload parser. A remote user can trigger memory corruption and execute arbitrary code on the target system with root privileges.
12) OS Command Injection (CVE-ID: CVE-2020-2007)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the management server component of PAN-OS. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) OS Command Injection (CVE-ID: CVE-2020-2008)
The vulnerability allows a remote administrator to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in Palo Alto Networks PAN-OS. A remote authenticated administrator can pass specially crafted data to the application and delete arbitrary files or execute arbitrary OS commands on the target system with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Arbitrary file upload (CVE-ID: CVE-2020-2009)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in the SD WAN component of Palo Alto Networks PAN-OS Panorama. A remote authenticated user can upload a malicious file and execute it on the server.
15) OS Command Injection (CVE-ID: CVE-2020-2010)
The vulnerability allows a remote administrator to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in PAN-OS management interface. A remote authenticated administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.
16) XML External Entity injection (CVE-ID: CVE-2020-2012)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input in Palo Alto Networks Panorama management service. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
17) Cleartext transmission of sensitive information (CVE-ID: CVE-2020-2013)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information in Palo Alto Networks PAN-OS Panoramathat discloses an authenticated PAN-OS administrator's PAN-OS session cookie. When an administrator issues a context switch request into a managed firewall with an affected PAN-OS Panorama version, their PAN-OS session cookie is transmitted over cleartext to the firewall. An attacker with the ability to intercept this network traffic between the firewall and Panorama can access the administrator's account and further manipulate devices managed by Panorama.
18) OS Command Injection (CVE-ID: CVE-2020-2014)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in PAN-OS management server. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Buffer overflow (CVE-ID: CVE-2020-2015)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the PAN-OS management server. A remote authenticated user can send a specially crafted request to the system, trigger memory corruption and execute arbitrary code on the target system with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) DOM-based cross-site scripting (CVE-ID: CVE-2020-2017)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
21) Improper Authentication (CVE-ID: CVE-2020-2018)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to insecure registration mechanism in Palo Alto Networks PAN-OS Panorama proxy service. A remote attacker with network access to the Panorama and the knowledge of the Firewall’s serial number can register the PAN-OS firewall and gain full access to the device.
22) Integer overflow (CVE-ID: CVE-2017-7529)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists due to integer overflow when processing specially crafted requests. A remote attacker can send a malicious request to vulnerable server and gain access to potentially sensitive information.
When using nginx with standard modules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations a cache file header may contain IP address of the backend server or other sensitive information.
Remediation
Install update from vendor's website.
References
- https://security.paloaltonetworks.com/CVE-2020-1993
- https://security.paloaltonetworks.com/CVE-2020-1994
- https://security.paloaltonetworks.com/CVE-2020-1995
- https://security.paloaltonetworks.com/CVE-2020-1996
- https://security.paloaltonetworks.com/CVE-2020-1997
- https://security.paloaltonetworks.com/CVE-2020-1998
- https://security.paloaltonetworks.com/CVE-2020-2001
- https://security.paloaltonetworks.com/CVE-2020-2002
- https://security.paloaltonetworks.com/CVE-2020-2003
- https://security.paloaltonetworks.com/CVE-2020-2005
- https://security.paloaltonetworks.com/CVE-2020-2006
- https://security.paloaltonetworks.com/CVE-2020-2007
- https://security.paloaltonetworks.com/CVE-2020-2008
- https://security.paloaltonetworks.com/CVE-2020-2009
- https://security.paloaltonetworks.com/CVE-2020-2010
- https://security.paloaltonetworks.com/CVE-2020-2012
- https://security.paloaltonetworks.com/CVE-2020-2013
- https://security.paloaltonetworks.com/CVE-2020-2014
- https://security.paloaltonetworks.com/CVE-2020-2015
- https://security.paloaltonetworks.com/CVE-2020-2017
- https://security.paloaltonetworks.com/CVE-2020-2018
- https://security.paloaltonetworks.com/CVE-2017-7529