Multiple Vulnerabilities in Palo Alto PAN-OS Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2020-130
Date(s) Issued: 
Thursday, September 10, 2020
Subject: 
Multiple Vulnerabilities in Palo Alto PAN-OS Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for arbitrary code execution. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to disrupt system processes and potentially execute arbitrary code with root privileges.

 

THREAT INTELLIGENCE:

There is currently no reports of these vulnerabilities being exploited in the wild.

 

Systems Affected: 
  • All versions of PAN-OS 8.0
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

  • Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled (CVE-2020-2040)
  • Reflected Cross-Site Scripting (XSS) vulnerability in management web interface (CVE-2020-2036)
  • Management web interface denial-of-service (DoS) (CVE-2020-2041)
  • OS command injection vulnerability in the management web interface (CVE-2020-2037)
  • OS command injection vulnerability in the management web interface (CVE-2020-2038)
  • Buffer overflow in the management web interface (CVE-2020-2042)
  • Management web interface denial-of-service (DoS) through unauthenticated file upload (CVE-2020-2039)
  • Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs (CVE-2020-2043)
  • Passwords may be logged in clear text while storing operational command (op command) history (CVE-2020-2044)

Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.

Actions: 
  • After appropriate testing, immediately apply patches or mitigations provided by Palo Alto to vulnerable systems. 
  • Block external access at the network boundary, unless external parties require service.
  • If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
  • To reduce the impact of latent vulnerabilities, always run non administrative software as an unprivileged user with minimal access rights.