====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN341
_____________________________________________________________________

DATE                : 12/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): PAN-OS versions prior to 9.1.0, 9.0.7, 8.1.13,
                                             7.1.26.

=====================================================================
https://security.paloaltonetworks.com/CVE-2020-2027
https://security.paloaltonetworks.com/CVE-2020-2028
https://security.paloaltonetworks.com/CVE-2020-2029
_____________________________________________________________________

CVE-2020-2027 PAN-OS: Buffer overflow in authd authentication response
047910

Severity 7.2 ·          HIGH
Attack Vector           NETWORK
Attack Complexity       LOW
Privileges Required     HIGH
User Interaction        NONE
Scope                   UNCHANGED
Confidentiality Impact  HIGH
Integrity Impact        HIGH
Availability Impact     HIGH

NVD JSON

Published:              2020-06-10
Updated:                2020-06-10
Ref#:                   CYR-10833


Description

A buffer overflow vulnerability in the authd component of the PAN-OS
management server allows authenticated administrators to disrupt system
processes and potentially execute arbitrary code with root privileges.

This issue affects:

All versions of PAN-OS 7.1 and PAN-OS 8.0;

PAN-OS 8.1 versions earlier than PAN-OS 8.1.13;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.7.


Product Status

PAN-OS

Versions	Affected	Unaffected
9.1	                        >= 9.1.0
9.0              < 9.0.7	>= 9.0.7
8.1              < 8.1.13	>= 8.1.13
8.0              8.0.*	
7.1              7.1.*	


Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-121 Stack-based Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7, PAN-OS 9.1.0, and
all later PAN-OS versions.

PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer
covered by our Product Security Assurance policies.

PAN-OS 7.1 is on extended support until June 30, 2020, and we are
considering updates only for critical security vulnerability fixes.


Workarounds and Mitigations

This issue affects the management interface of PAN-OS and you can
mitigate the impact of this issue by following best practices for
securing the PAN-OS management interface. Please review the Best
Practices for Securing Administrative Access in the PAN-OS technical
documentation, available at
https://docs.paloaltonetworks.com/best-practices.


Acknowledgements

This issue was found by Nicholas Newsom of Palo Alto Networks during
internal security review.

Timeline
2020-06-10
Initial publication

_____________________________________________________________________

CVE-2020-2028 PAN-OS: OS command injection vulnerability in FIPS-CC mode
certificate verification

Severity 7.2 ·           HIGH
Attack Vector            NETWORK
Attack Complexity        LOW
Privileges Required      HIGH
User Interaction         NONE
Scope                    UNCHANGED
Confidentiality Impact   HIGH
Integrity Impact         HIGH
Availability Impact      HIGH

NVD JSON

Published:               2020-06-10
Updated:                 2020-06-10
Ref#:                    PAN-125804


Description

An OS Command Injection vulnerability in PAN-OS management server allows
authenticated administrators to execute arbitrary OS commands with root
privileges when uploading a new certificate in FIPS-CC mode.

This issue affects:

All versions of PAN-OS 7.1 and PAN-OS 8.0;

PAN-OS 8.1 versions earlier than PAN-OS 8.1.13;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.7.


Product Status

PAN-OS

Versions	Affected	Unaffected
9.1                             >= 9.1.0
9.0             < 9.0.7         >= 9.0.7
8.1             < 8.1.13        >= 8.1.13
8.0             8.0.*	
7.1             7.1.*	


Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


Weakness Type

CWE-78 OS Command Injection


Solution

This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7, PAN-OS 9.1.0, and
all later PAN-OS versions.

PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer
covered by our Product Security Assurance policies.

PAN-OS 7.1 is on extended support until June 30, 2020, and we are
considering updates only for critical security vulnerability fixes.


Workarounds and Mitigations

This issue affects the management interface of PAN-OS and you can
mitigate the impact of this issue by following best practices for
securing the PAN-OS management interface. Please review the Best
Practices for Securing Administrative Access in the PAN-OS technical
documentation, available at
https://docs.paloaltonetworks.com/best-practices.


Acknowledgements

This issue was found by Nicholas Newsom of Palo Alto Networks during
internal security review.


Timeline
2020-06-10
Initial publication
_____________________________________________________________________

CVE-2020-2029 PAN-OS: OS command injection vulnerability in management
interface certificate generator


Severity 7.2 ·           HIGH
Attack Vector            NETWORK
Attack Complexity        LOW
Privileges Required      HIGH
User Interaction         NONE
Scope                    UNCHANGED
Confidentiality Impact   HIGH
Integrity Impact         HIGH
Availability Impact      HIGH
NVD JSON
Published:               2020-06-10
Updated:                 2020-06-10
Ref#:                    PAN-124621

Description

An OS Command Injection vulnerability in the PAN-OS web management
interface allows authenticated administrators to execute arbitrary OS
commands with root privileges by sending a malicious request to generate
new certificates for use in the PAN-OS configuration.

This issue affects:

All versions of PAN-OS 8.0;

PAN-OS 7.1 versions earlier than PAN-OS 7.1.26;

PAN-OS 8.1 versions earlier than PAN-OS 8.1.13.


Product Status

PAN-OS

Versions	Affected	Unaffected
9.1                             >= 9.1.0
9.0                             >= 9.0.0
8.1             < 8.1.13        >= 8.1.13
8.0             8.0.*	
7.1             < 7.1.26        >= 7.1.26


Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


Weakness Type

CWE-78 OS Command Injection


Solution

This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, and all later
PAN-OS versions.

PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer
covered by our Product Security Assurance policies.

PAN-OS 7.1 is on extended support until June 30, 2020, and we are
considering updates only for critical security vulnerability fixes.


Workarounds and Mitigations

This issue affects the management interface of PAN-OS and you can
mitigate the impact of this issue by following best practices for
securing the PAN-OS management interface. Please review the Best
Practices for Securing Administrative Access in the PAN-OS technical
documentation, available at
https://docs.paloaltonetworks.com/best-practices.


Acknowledgements
Palo Alto Networks thanks Przemysław Kowalski of STM Solutions for
discovering and reporting this issue.


Timeline

2020-06-10
Initial publication



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=3D=3D=3D=3D=3D=3D=3D