Multiple Vulnerabilities in Palo Alto PAN-OS Could Allow for Session Fixation Attacks

ITS Advisory Number: 
2020-067
Date(s) Issued: 
Friday, May 15, 2020
Subject: 
Multiple Vulnerabilities in Palo Alto PAN-OS Could Allow for Session Fixation Attacks
Overview: 

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue using maliciously crafted URI. The attacker uses email or other means to distribute the malicious URI and entices an unsuspecting user to follow it hijacking the user session ID. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.

 

THREAT INTELLIGENCE:

There is currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • PAN-OS versions 7.1, 8.0, 8.1 prior to 8.1.14
  • PAN-OS versions 9.0 prior to 9.0.8
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. Details of the vulnerabilities are as follows:

  • CVE-2020-1993: GlobalProtect Portal PHP session fixation vulnerability
  • CVE-2020-2006: Buffer overflow in management server payload parser
  • CVE-2020-1998: Improper SAML SSO authorization of shared local users
  • CVE-2020-2012: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak          
  • CVE-2020-2007: OS command injection in management server
  • CVE-2020-1997: GlobalProtect registration open redirect
  • CVE-2020-1994: Predictable temporary file vulnerability
  • CVE-2020-1996: Panorama management server log injection   
  • CVE-2020-2011: Panorama registration denial of service
  • CVE-2020-2009: Panorama SD WAN arbitrary file creation

Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.

Actions: 
  • After appropriate testing, immediately apply patches or mitigations provided by Palo Alto to vulnerable systems. 
  • Block external access at the network boundary, unless external parties require service.
  • If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
  • To reduce the impact of latent vulnerabilities, always run non administrative software as an unprivileged user with minimal access rights.
  • Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.
  • Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.