Multiple vulnerabilities patched within Panorama firewall management tool
CVE-2020-2029 - CVSSv3 7.2
CVE-2020-2028 - CVSSv3 7.2
CVE-2020-2027 - CVSSv3 7.2
CVE-2020-2018 - CVSSv3 9.0
CVE-2020-2012 - CVSSv3 7.5
CVE-2020-2011 - CVSSv3 7.5
CVE-2020-2005 - CVSSv3 7.1
CVE-2020-2002 - CVSSv3 8.1
These vulnerabilities allow for a wide range of attacks, the most severe makes an authentication bypass possible.
Others include the risk of data being leaked from the application, spoofing of Kerberos key distribution, remote code execution and a distributed denial-of-service attack.
Palo Alto disclosed multiple vulnerabilities found within the PAN-OS firewall management system. All these have been resolved in their latest patch and described in detail on their website. The most severe CVE-2020-2018 makes it possible for an attacker to gain access to the Panorama management system's interface and allows him to gain privileged access to the firewalls.
The patch addresses all high risk vulnerabilities that could be exploited to escalate privileges, perform remote code execution with root permissions, hijack admin accounts, launch cross site scripting attacks and deletion of files. Most of these are possible after authentication of the attacker or if he is able to read network traffic.
The PAN-OS 8.0 versions has reached it's end-of-Life and will no longer be supported/updated by the developers.
Earlier in June additional vulnerabilities affecting the PAN-OS were published by Palo Alto, which are resolved in the latest versions. Please be sure to check if the version running within the organization, is not affected by the latest published vulnerabilities.
CERT.be recommends installing all latest updates for the Panorama Management System provided by the developers.
It is also advised to follow the guidelines provided by them to setup your application and firewall correctly: