====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN378
_____________________________________________________________________

DATE                : 09/07/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): PAN-OS versions prior to 9.1.3, 8.1.15, 9.0.9.

=====================================================================
https://security.paloaltonetworks.com/CVE-2020-2034
https://security.paloaltonetworks.com/CVE-2020-2030
https://security.paloaltonetworks.com/CVE-2020-2031
https://security.paloaltonetworks.com/CVE-2020-1982
_____________________________________________________________________

CVE-2020-2034 PAN-OS: OS command injection vulnerability in
GlobalProtect portal
 	
047910

Severity 8.1 ·         HIGH
Attack Vector          NETWORK
Attack Complexity      HIGH
Privileges Required    NONE
User Interaction       NONE
Scope                  UNCHANGED
Confidentiality Impact HIGH
Integrity Impact       HIGH
Availability Impact    HIGH
NVD JSON
Published              2020-07-08
Updated                2020-07-08
Reference              PAN-145587
Discovered internally


Description

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal
allows an unauthenticated network-based attacker to execute arbitrary OS
commands with root privileges. An attacker would require some level of
specific information about the configuration of an impacted firewall or
perform brute-force attacks to exploit this issue. This issue cannot be
exploited if the GlobalProtect portal feature is not enabled.

This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS
8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier
than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.

Prisma Access services are not impacted by this vulnerability. Firewalls
that were upgraded to the latest versions of PAN-OS to resolve
CVE-2020-2021 are not vulnerable to this issue.

Palo Alto Networks is not aware of any malicious attempts to exploit
this vulnerability.


Product Status

PAN-OS
Versions	Affected	Unaffected
9.1             < 9.1.3	         >= 9.1.3
9.0             < 9.0.9	         >= 9.0.9
8.1             < 8.1.15	 >= 8.1.15
8.0             8.0.*	
7.1             7.1.*	


Required Configuration for Exposure

This issue is applicable only where GlobalProtect portal is enabled.


Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


Weakness Type

CWE-78 OS Command Injection


Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and
all later PAN-OS versions.

PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and
October 31, 2019 respectively) and are no longer covered by our Product
Security Assurance policies.


Workarounds and Mitigations

Acknowledgments

This issue was found by Yamata Li of Palo Alto Networks during internal
security review.


Timeline

2020-07-08      Initial publication

_____________________________________________________________________

CVE-2020-2031 PAN-OS: Integer underflow in the management interface
047910

Severity 4.9 ·           MEDIUM
Attack Vector            NETWORK
Attack Complexity        LOW
Privileges Required      HIGH
User Interaction         NONE
Scope                    UNCHANGED
Confidentiality Impact   NONE
Integrity Impact         NONE
Availability Impact      HIGH
NVD JSON
Published                2020-07-08
Updated                  2020-07-08
Reference                PAN-100000
Discovered internally


Description

An integer underflow vulnerability in the dnsproxyd component of the
PAN-OS management interface allows authenticated administrators to issue
a command from the command line interface that causes the component to
stop responding. Repeated attempts to send this request result in denial
of service to all PAN-OS services by restarting the device and putting
it into maintenance mode.

This issue impacts:

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.

This issue does not impact PAN-OS 8.1, PAN-OS 9.0, or Prisma Access
services.


Product Status

PAN-OS

Versions	Affected	Unaffected
9.1             < 9.1.3         >= 9.1.3
9.0             9.0.*
8.1             8.1.*

Severity: MEDIUM

CVSSv3.1 Base Score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


Weakness Type

CWE-191 Integer Underflow (Wrap or Wraparound)


Solution

This issue is fixed in PAN-OS 9.1.3 and all later PAN-OS versions.


Workarounds and Mitigations

This issue impacts the PAN-OS management interface but you can mitigate
the impact of this issue by following best practices for securing the
PAN-OS management interface. Please review the Best Practices for
Securing Administrative Access in the PAN-OS technical documentation,
available at https://docs.paloaltonetworks.com/best-practices.


Acknowledgments

This issue was discovered by Jin Chen of Palo Alto Networks during
internal security review.


Timeline
2020-07-08    Initial publication

_____________________________________________________________________

CVE-2020-2030 PAN-OS: OS command injection vulnerability in the
management interface
047910

Severity 7.2 ·           HIGH
Attack Vector            NETWORK
Attack Complexity        LOW
Privileges Required      HIGH
User Interaction         NONE
Scope                    UNCHANGED
Confidentiality Impact   HIGH
Integrity Impact         HIGH
Availability Impact      HIGH
NVD JSON
Published                2020-07-08
Updated                  2020-07-08
Reference PAN-100226 and PAN-102677
Discovered internally


Description

An OS Command Injection vulnerability in the PAN-OS management interface
that allows authenticated administrators to execute arbitrary OS
commands with root privileges.

This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; and
all versions of PAN-OS 7.1 and PAN-OS 8.0.

This issue does not impact PAN-OS 9.0, PAN-OS 9.1, or Prisma Access
services.


Product Status

PAN-OS

Versions	Affected	Unaffected
9.1             >= 9.1.0
9.0             >= 9.0.0
8.1             < 8.1.15         >= 8.1.15
8.0             8.0.*	
7.1             7.1.*	


Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


Weakness Type

CWE-78 OS Command Injection


Solution

This issue is fixed in PAN-OS 8.1.15 and all later PAN-OS versions.

PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and
October 31, 2019 respectively) and are no longer covered by our Product
Security Assurance policies.


Workarounds and Mitigations

This issue impacts the PAN-OS management interface but you can mitigate
the impact of this issue by following best practices for securing the
PAN-OS management interface. Please review the Best Practices for
Securing Administrative Access in the PAN-OS technical documentation,
available at https://docs.paloaltonetworks.com/best-practices.


Acknowledgments

This issue was found by Jin Chen of Palo Alto Networks during internal
security review.


Timeline
2020-07-08     Initial publication

_____________________________________________________________________

CVE-2020-1982 PAN-OS: TLS 1.0 usage for certain communications with Palo
Alto Networks cloud delivered services


Severity 4.8 ·          MEDIUM
Attack Vector           NETWORK
Attack Complexity       HIGH
Privileges Required     NONE
User Interaction        NONE
Scope                   UNCHANGED
Confidentiality Impact  LOW
Integrity Impact        LOW
Availability Impact     NONE
NVD JSON
Published               2020-07-08
Updated                 2020-07-08
Reference PAN-141122 and PAN-141579
Discovered in production use


Description

Certain communication between PAN-OS and cloud-delivered services
inadvertently use TLS 1.0, which is known to be a cryptographically weak
protocol.

These cloud services include Cortex Data Lake, the Customer Support
Portal, and the Prisma Access infrastructure.

Conditions required for exploitation of known TLS 1.0 weaknesses do not
exist for the communication between PAN-OS and cloud-delivered services.
We do not believe that any communication is impacted as a result of
known attacks against TLS 1.0.

This issue impacts:

All versions of PAN-OS 8.0;

PAN-OS 8.1 versions earlier than PAN-OS 8.1.14;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.9;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.

PAN-OS 7.1 is not impacted by this issue.


Product Status

PAN-OS

Versions	Affected	Unaffected
9.1             < 9.1.3         >= 9.1.3
9.0             < 9.0.9         >= 9.0.9
8.1             < 8.1.15        >= 8.1.15
8.0             8.0.*	
7.1             7.1.*


Severity: MEDIUM

CVSSv3.1 Base Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)


Weakness Type

CWE-326 Inadequate Encryption Strength


Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and
all later PAN-OS versions.

A fixed version of PAN-OS is required to ensure secure usage of cloud-
delivered services without interruption.

PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and
October 31, 2019 respectively) and are no longer covered by our Product
Security Assurance policies.


Workarounds and Mitigations

Since TLS 1.0 weaknesses are exploited by the man-in-the-middle type of
attackers, ensuring security of the networks reduces risks of
exploitation of these issues.


Acknowledgments
This issue was found by a customer.


Timeline
2020-07-08   Initial publication


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================