www.belgium.be Logo of the federal government

Multiple vulnerabilities patched within Panorama firewall management tool

Reference: 
Advisory #2020-017
Version: 
2
Affected software: 
PAN-OS 7.1 versions earlier than 7.1.26
PAN-OS 8.0 all versions (EoL)
PAN-OS 8.1 versions earlier than 8.1.13
PAN-OS 9.0 versions earlier than 9.0.7
Type: 
Several vulnerabilities, including Remote Code Execution (RCE) and Authentication Bypass
CVE/CVSS: 

CVE-2020-2029 - CVSSv3 7.2
CVE-2020-2028 - CVSSv3 7.2
CVE-2020-2027 - CVSSv3 7.2
CVE-2020-2018 - CVSSv3 9.0
CVE-2020-2012 - CVSSv3 7.5
CVE-2020-2011 - CVSSv3 7.5
CVE-2020-2005 - CVSSv3 7.1
CVE-2020-2002 - CVSSv3 8.1

Date: 
19/05/2020

Sources

https://www.securityweek.com/palo-alto-networks-patches-many-vulnerabilities-pan-os
https://security.paloaltonetworks.com/CVE-2020-2029
https://security.paloaltonetworks.com/CVE-2020-2028
https://security.paloaltonetworks.com/CVE-2020-2027
https://security.paloaltonetworks.com/CVE-2020-2018
https://security.paloaltonetworks.com/CVE-2020-2012
https://security.paloaltonetworks.com/CVE-2020-2011
https://security.paloaltonetworks.com/CVE-2020-2005
https://security.paloaltonetworks.com/CVE-2020-2002

Risks

These vulnerabilities allow for a wide range of attacks, the most severe makes an authentication bypass possible.
Others include the risk of data being leaked from the application, spoofing of Kerberos key distribution, remote code execution and a distributed denial-of-service attack.

Description

Palo Alto disclosed multiple vulnerabilities found within the PAN-OS firewall management system. All these have been resolved in their latest patch and described in detail on their website. The most severe CVE-2020-2018 makes it possible for an attacker to gain access to the Panorama management system's interface and allows him to gain privileged access to the firewalls.

The patch addresses all high risk vulnerabilities that could be exploited to escalate privileges, perform remote code execution with root permissions, hijack admin accounts, launch cross site scripting attacks and deletion of files. Most of these are possible after authentication of the attacker or if he is able to read network traffic.

The PAN-OS 8.0 versions has reached it's end-of-Life and will no longer be supported/updated by the developers.

Earlier in June additional vulnerabilities affecting the PAN-OS were published by Palo Alto, which are resolved in the latest versions. Please be sure to check if the version running within the organization, is not affected by the latest published vulnerabilities.

Recommended Actions

CERT.be recommends installing all latest updates for the Panorama Management System provided by the developers.
It is also advised to follow the guidelines provided by them to setup your application and firewall correctly: