==================================================================== CERT-Renater Note d'Information No. 2020/VULN193 _____________________________________________________________________ DATE : 15/04/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): PAN-OS versions prior to 7.1.26, 8.0.21, 8.1.13, 9.0.7, 9.1.2. ===================================================================== https://securityadvisories.paloaltonetworks.com/PAN-SA-2020-0002 https://securityadvisories.paloaltonetworks.com/CVE-2020-1992 https://securityadvisories.paloaltonetworks.com/CVE-2020-1990 _____________________________________________________________________ Palo Alto Networks Security Advisories / PAN-SA-2020-0002 PAN-SA-2020-0002 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities Severity 6.8 . MEDIUM Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact NONE Integrity Impact HIGH Availability Impact HIGH JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: PAN-111636 Description OpenSSH software included with PAN-OS has been upgraded to resolve multiple vulnerabilities. These issue affects Palo Alto Networks PAN-OS 7.1 versions before 7.1.26; 8.0 versions before 8.0.21; 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. The resolved vulnerabilities include: CVE CVSS Summary 5.3 ( In OpenSSH 7.9, scp.c in the scp client allows CVSS:3.0/ remote SSH servers to bypass intended access CVE-2018-20685 AV:N/AC:H/ restrictions via the filename of . or an empty PR:N/UI:R/ filename. The impact is modifying the permissions of S:U/C:N/I:H the target directory on the client side. /A:N) 6.8 ( An issue was discovered in OpenSSH 7.9. Due to CVSS:3.0/ missing character encoding in the progress display, AV:N/AC:H/ a malicious server (or Man-in-The-Middle attacker) CVE-2019-6109 PR:N/UI:R/ can employ crafted object names to manipulate the S:U/C:H/I:H client output, e.g., by using ANSI control codes to /A:N) hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to 5.9 ( the client. However, the scp client only performs CVSS:3.0/ cursory validation of the object name returned (only CVE-2019-6111 AV:N/AC:H/ directory traversal attacks are prevented). A PR:N/UI:N/ malicious scp server (or Man-in-The-Middle attacker) S:U/C:N/I:H can overwrite arbitrary files in the scp client /A:N) target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/ authorized_keys file). Product Status PAN-OS Versions Affected Unaffected 7.1 < 7.1.26 >= 7.1.26 8.0 < 8.0.21 >= 8.0.21 8.1 < 8.1.13 >= 8.1.13 9.0 < 9.0.7 >= 9.0.7 Severity: MEDIUM CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H) Solution These issues are fixed in PAN-OS 7.1.26 (pending release), PAN-OS 8.0.21, PAN-OS 8.1.13, PAN-OS 9.0.7 and all later versions. Workarounds and Mitigations This issue affects the management interface of PAN-OS and is mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access. Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. ____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-1992 CVE-2020-1992 PAN-OS on PA-7000 Series: Varrcvr daemon network-based denial of service or privilege escalation Severity 8.1 . HIGH Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: PAN-135103 Description A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.2 on PA-7000 Series devices with an LFC installed and configured. This issue requires WildFire services to be configured and enabled. This issue does not affect PAN-OS 8.1 and earlier releases. This issue does not affect any other PA Series firewalls. Product Status PAN-OS Versions Affected Unaffected 9.0 < 9.0.7 on PA-7000 series with LFC >= 9.0.7 on PA-7000 series with LFC 9.1 < 9.1.2 on PA-7000 series with LFC >= 9.1.2 on PA-7000 series with LFC 8.1 8.1.* 8.0 8.0.* 7.1 7.1.* Required Configuration This issue requires WildFire services to be configured and enabled. Severity: HIGH CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Solution This issue is fixed in PAN-OS 9.0.7, PAN-OS 9.1.2 and all later versions. Workarounds and Mitigations There are no viable workarounds for this issue. Acknowledgements This issue was found by a customer. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-1990 CVE-2020-1990 PAN-OS: Buffer overflow in the management server Severity 7.2 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: PAN-121319 Description A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. This issue does not affect PAN-OS 7.1. Product Status PAN-OS Versions Affected Unaffected 8.1 < 8.1.13 >= 8.1.13 9.0 < 9.0.7 >= 9.0.7 7.1 7.1.* Severity: HIGH CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Solution This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7 and all later versions. Workarounds and Mitigations These issues affect the management interface of PAN-OS and are strongly mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 9.0 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html. Acknowledgements This issue was discovered by Nicholas Newsom of Palo Alto Networks during internal security review. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================