Other official information and services: www.belgium.be

New Vulnerabilities in PAN OS (RCE & DoS)

Reference:

Advisory #2020-029

Version:

1.0

Affected software:

PAN OS 8.0

PAN OS 8.1

PAN OS 8.2

PAN OS 9.0

PAN OS 9.1

Type:

Denial of Service (DoS), Remote Code Execution (RCE), Cross Site Scripting (XXS)

CVE/CVSS:

CVE-2020-2040 – CVSS : 9.8
CVE-2020-2036 – CVSS : 8.8
CVE-2020-2041 – CVSS : 7.5

Date:

14/09/2020

Sources

https://security.paloaltonetworks.com/CVE-2020-2040
https://security.paloaltonetworks.com/CVE-2020-2036
https://security.paloaltonetworks.com/CVE-2020-2041

Risks

The buffer overflow vulnerability in PAN-OS firewall could allow an unauthenticated attacker to disrupt the system process and also execute arbitrary code with root privileges by sending a malicious request to the Multi-Factor Authenticated interface.
The PAN-OS web management interface is vulnerable to reflected Cross-Site Scripting (XXS) and denial-of-service (Dos).

The XXS flaw in the PAN-OS web management interface allows a remote attacker to convince a system administrator with an authenticated session on the firewall management interface to click on a crafted link to that management web interface. Thus, allowing the threat actor to execute arbitrary JavaScript code in the administrator's browser and perform administrative actions.

The DoS vulnerability allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash.

Description

These security flaws reside in PAN-OS firewall software and PAN-OS web management interface.

The Buffer overflow vulnerability is tracked as “CVE-2020-2040” and its severity is classified as critical. This flaw affects all the versions of PAN-OS 8.0, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9, PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. Successful exploitation of this vulnerability could allow an attacker to disrupt the system and possibly execute arbitrary code.

The Cross-Site-Scripting vulnerability -CVE-2020-2036, affects web management interface of PAN-OS 8.1 versions earlier than PAN-OS 8.1.16 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.9

The Denial-of-Service (DoS) vulnerability - CVE-2020-2041 impacts PAN-OS 8.1 web management interface. This vulnerability allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.

Recommended Actions

CERT.be recommends system administrators to follow the best practices and apply the latest patches released by the vendor as soon as possible.

Please refer to the links below :
• https://security.paloaltonetworks.com/CVE-2020-2040
• https://security.paloaltonetworks.com/CVE-2020-2036
• https://security.paloaltonetworks.com/CVE-2020-2041

References

https://securityaffairs.co/wordpress/108127/hacking/palo-alto-networks-p...