New Vulnerabilities in PAN OS (RCE & DoS)
CVE-2020-2040 – CVSS : 9.8
CVE-2020-2036 – CVSS : 8.8
CVE-2020-2041 – CVSS : 7.5
The buffer overflow vulnerability in PAN-OS firewall could allow an unauthenticated attacker to disrupt the system process and also execute arbitrary code with root privileges by sending a malicious request to the Multi-Factor Authenticated interface.
The PAN-OS web management interface is vulnerable to reflected Cross-Site Scripting (XXS) and denial-of-service (Dos).
The DoS vulnerability allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash.
These security flaws reside in PAN-OS firewall software and PAN-OS web management interface.
The Buffer overflow vulnerability is tracked as “CVE-2020-2040” and its severity is classified as critical. This flaw affects all the versions of PAN-OS 8.0, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9, PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. Successful exploitation of this vulnerability could allow an attacker to disrupt the system and possibly execute arbitrary code.
The Cross-Site-Scripting vulnerability -CVE-2020-2036, affects web management interface of PAN-OS 8.1 versions earlier than PAN-OS 8.1.16 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
The Denial-of-Service (DoS) vulnerability - CVE-2020-2041 impacts PAN-OS 8.1 web management interface. This vulnerability allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.
CERT.be recommends system administrators to follow the best practices and apply the latest patches released by the vendor as soon as possible.
Please refer to the links below :