Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue using maliciously crafted URI. The attacker uses email or other means to distribute the malicious URI and entices an unsuspecting user to follow it hijacking the user session ID. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.
THREAT INTELLIGENCE:
There is currently no reports of these vulnerabilities being exploited in the wild.
- PAN-OS versions 7.1, 8.0, 8.1 prior to 8.1.14
- PAN-OS versions 9.0 prior to 9.0.8
Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. Details of the vulnerabilities are as follows:
- CVE-2020-1993: GlobalProtect Portal PHP session fixation vulnerability
- CVE-2020-2006: Buffer overflow in management server payload parser
- CVE-2020-1998: Improper SAML SSO authorization of shared local users
- CVE-2020-2012: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
- CVE-2020-2007: OS command injection in management server
- CVE-2020-1997: GlobalProtect registration open redirect
- CVE-2020-1994: Predictable temporary file vulnerability
- CVE-2020-1996: Panorama management server log injection
- CVE-2020-2011: Panorama registration denial of service
- CVE-2020-2009: Panorama SD WAN arbitrary file creation
Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.
- After appropriate testing, immediately apply patches or mitigations provided by Palo Alto to vulnerable systems.
- Block external access at the network boundary, unless external parties require service.
- If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
- To reduce the impact of latent vulnerabilities, always run non administrative software as an unprivileged user with minimal access rights.
- Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.
- Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Palo Alto:
https://security.paloaltonetworks.com/
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1996
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1997
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2009