==================================================================== CERT-Renater Note d'Information No. 2020/VULN507 _____________________________________________________________________ DATE : 11/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PAN-OS versions prior to 8.1.16, 9.0.10, 9.1.4. ===================================================================== https://securityadvisories.paloaltonetworks.com/CVE-2020-2043 https://securityadvisories.paloaltonetworks.com/CVE-2020-2037 https://securityadvisories.paloaltonetworks.com/CVE-2020-2039 https://securityadvisories.paloaltonetworks.com/CVE-2020-2042 https://securityadvisories.paloaltonetworks.com/CVE-2020-2038 https://securityadvisories.paloaltonetworks.com/CVE-2020-2041 https://securityadvisories.paloaltonetworks.com/CVE-2020-2044 https://securityadvisories.paloaltonetworks.com/CVE-2020-2036 _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2043 CVE-2020-2043 PAN-OS: Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs 047910 Severity 3.3 . LOW Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-146837 Discovered internally Description An information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Palo Alto Networks PAN-OS software when the after-change-detail custom syslog field is enabled for configuration logs and the sensitive field appears multiple times in one log entry. The first instance of the sensitive field is masked but subsequent instances are left in clear text. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4. Product Status Versions Affected Unaffected PAN-OS 10.0 None >= 10.0.0 PAN-OS 9.1 < 9.1.4 >= 9.1.4 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 < 8.1.16 >= 8.1.16 Required Configuration for Exposure This issue is only applicable when when the after-change-detail custom syslog field is enabled for config logs. Severity: LOW CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Weakness Type CWE-532 Information Exposure Through Log Files Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, and all later PAN-OS versions. Workarounds and Mitigations This issue requires access to PAN-OS log files generated in the system. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments This issue was found by a customer of Palo Alto Networks during internal security review. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2037 CVE-2020-2037 PAN-OS: OS command injection vulnerability in the management web interface 047910 Severity 7.2 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-128761 Discovered externally Description An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. Product Status Versions Affected Unaffected PAN-OS 10.0 None >= 10.0.0 PAN-OS 9.1 < 9.1.3 >= 9.1.3 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 < 8.1.16 >= 8.1.16 Severity: HIGH CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Weakness Type CWE-78 OS Command Injection Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.3, and all later PAN-OS versions. Workarounds and Mitigations This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments Palo Alto Networks thanks Mikhail Klyuchnikov of Positive Technologies, and Nicholas Newsom of Palo Alto Networks for discovering and reporting this issue. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2039 CVE-2020-2039 PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload 047910 Severity 5.3 . MEDIUM Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact NONE Integrity Impact NONE Availability Impact LOW NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-148806 Discovered externally Description An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.4 >= 9.1.4 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 < 8.1.16 >= 8.1.16 Severity: MEDIUM CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Weakness Type CWE-400 Uncontrolled Resource Consumption Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions. Workarounds and Mitigations This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2042 CVE-2020-2042 PAN-OS: Buffer overflow in the management web interface 047910 Severity 7.2 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-145797 and PAN-150409 Discovered internally Description A buffer overflow vulnerability in the PAN-OS management web interface allows authenticated administrators to disrupt system processes and potentially execute arbitrary code with root privileges. This issue impacts only PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 None 9.1.* PAN-OS 9.0 None 9.0.* PAN-OS 8.1 None 8.1.* Severity: HIGH CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Weakness Type CWE-121 Stack-based Buffer Overflow Solution This issue is fixed in PAN-OS 10.0.1 and all later PAN-OS versions. Workarounds and Mitigations This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2038 CVE-2020-2038 PAN-OS: OS command injection vulnerability in the management web interface 047910 Severity 7.2 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-101484 Discovered externally Description An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.4 >= 9.1.4 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 None 8.1.* Severity: HIGH CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Weakness Type CWE-78 OS Command Injection Solution This issue is fixed in PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions. Workarounds and Mitigations This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2041 CVE-2020-2041 PAN-OS: Management web interface denial-of-service (DoS) 047910 Severity 7.5 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact NONE Integrity Impact NONE Availability Impact HIGH NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-151978 Discovered internally Description An insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts all versions of PAN-OS 8.0, and PAN-OS 8.1 versions earlier than 8.1.16. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 None 9.1.* PAN-OS 9.0 None 9.0.* PAN-OS 8.1 < 8.1.16 >= 8.1.16 PAN-OS 8.0 8.0.* Severity: HIGH CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Weakness Type CWE-16 Configuration Solution This issue is fixed in PAN-OS 8.1.16 and all later PAN-OS versions. PAN-OS 7.1 and PAN-OS 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies. Workarounds and Mitigations This issue impacts the management web interface of PAN-OS. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2044 CVE-2020-2044 PAN-OS: Passwords may be logged in clear text while storing operational command (op command) history 047910 Severity 3.3 . LOW Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-135262 Discovered internally Description An information exposure through log file vulnerability where an administrator's password or other sensitive information may be logged in cleartext while using the CLI in Palo Alto Networks PAN-OS software. The opcmdhistory.log file was introduced to track operational command (op- command) usage but did not mask all sensitive information. The opcmdhistory.log file is removed in PAN-OS 9.1 and later PAN-OS versions. Command usage is recorded, instead, in the req_stats.log file in PAN-OS 9.1 and later PAN-OS versions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. Product Status Versions Affected Unaffected PAN-OS 9.1 < 9.1.3 >= 9.1.3 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 < 8.1.16 >= 8.1.16 PAN-OS 8.0 8.0.* Severity: LOW CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Weakness Type CWE-532 Information Exposure Through Log Files Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.3, and all later PAN-OS versions. Workarounds and Mitigations This issue requires access to PAN-OS log files generated in the system. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments This issue was found by Yamata Li of Palo Alto Networks during internal security review. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2036 CVE-2020-2036 PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface 047910 Severity 8.8 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-116720 Discovered externally Description A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. Product Status Versions Affected Unaffected PAN-OS 10.0 None >= 10.0.0 PAN-OS 9.1 None >= 9.1.0 PAN-OS 9.0 < 9.0.9 >= 9.0.9 PAN-OS 8.1 < 8.1.16 >= 8.1.16 Severity: HIGH CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Weakness Type CWE-79 Cross-site Scripting (XSS) Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.9, and all later PAN-OS versions. Workarounds and Mitigations Administrators should use caution when they are authenticated to the firewall management web interface and not click or open links from unsolicited sources. This issue impacts the management web interface of PAN-OS. You can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments Palo Alto Networks thanks Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies and Ben Nott of Palo Alto Networks for discovering and reporting this issue. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-2040 CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled 047910 Severity 9.8 . CRITICAL Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-09-09 Updated 2020-09-09 Reference PAN-145149, PAN-145150, PAN-145151 and PAN-145195 Discovered internally Description A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface. This issue impacts: All versions of PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. Product Status Versions Affected Unaffected PAN-OS 10.0 None >= 10.0.0 PAN-OS 9.1 < 9.1.3 >= 9.1.3 PAN-OS 9.0 < 9.0.9 >= 9.0.9 PAN-OS 8.1 < 8.1.15 >= 8.1.15 PAN-OS 8.0 8.0.* Required Configuration for Exposure This issue is applicable only where either Captive Portal or Multi-Factor Authentication (MFA) is enabled. Severity: CRITICAL CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Weakness Type CWE-120 Buffer Overflow Solution This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions. All Prisma Access services are now upgraded to resolve this issue and are no longer vulnerable. PAN-OS 7.1 and 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies. Workarounds and Mitigations Until PAN-OS software is upgraded to a fixed version, enabling signatures in content update version 8317 will block attacks against CVE-2020-2040. Acknowledgments This issue was found by Yamata Li of Palo Alto Networks during internal security review. Frequently Asked Questions Q. Has this been exploited in the wild? This issue was discovered during internal security review. No evidence of active exploitation has been identified as of this time. Q. Are there any indicators of compromise or breach due to this vulnerability? No. Timeline 2020-09-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================