==================================================================== CERT-Renater Note d'Information No. 2020/VULN625 _____________________________________________________________________ DATE : 13/11/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): PAN-OS versions prior to 10.0.1, 9.1.5, 9.0.11, 8.1.17. ===================================================================== https://security.paloaltonetworks.com/CVE-2020-2050 https://security.paloaltonetworks.com/CVE-2020-2022 https://security.paloaltonetworks.com/CVE-2020-2000 https://security.paloaltonetworks.com/CVE-2020-1999 https://security.paloaltonetworks.com/CVE-2020-2048 _____________________________________________________________________ CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification Severity 8.2 · HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact LOW Availability Impact NONE NVD JSON Published 2020-11-11 Updated 2020-11-13 Reference PAN-146650 Discovered internally Description An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication. Impacted features that use SSL VPN with client certificate verification are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.5 >= 9.1.5 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is only applicable to PAN-OS appliances using the GlobalProtect VPN, gateway, or portal configured to allow users to authenticate with client certificate authentication. This issue can not be exploited if client certificate authentication is not in use. Other forms of authentication are not impacted by this issue. Severity: HIGH CVSSv3.1 Base Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-285 Improper Authorization Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions. Workarounds and Mitigations Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59884 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2050. This issue can be mitigated by configuring GlobalProtect to require users to authenticate with their credentials. Other authentication methods are not impacted by this issue. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Frequently Asked Questions Q. Is this a remote code execution (RCE)? No. This is not a remote code execution vulnerability. Q. Has this been exploited in the wild? No evidence of active exploitation has been identified as of this time. This issue was proactively found and fixed by Palo Alto Networks. Q. Is IPSec based VPN vulnerable to this issue? If client certificate authentication is enabled IPSec based VPN is also affected. Q. Is GlobalProtect pre-logon feature affected by this issue? GlobalProtect pre-logon feature using client certificates for authentication is affected by this issue. Timeline 2020-11-13 New workaround is available. 2020-11-11 Initial publication _____________________________________________________________________ CVE-2020-2022 PAN-OS: Panorama session disclosure during context switch into managed device Severity 7.5 · HIGH Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-11-11 Updated 2020-11-11 Reference PAN-125218 Discovered internally Description An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This vulnerability allows an attacker to gain privileged access to the Panorama web interface. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 < 9.1.5 >= 9.1.5 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is not applicable when custom certificate authentication is enabled between Panorama and managed firewalls. See https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-authentication-using-custom-certificates.html Severity: HIGH CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-200 Information Exposure Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions. Workarounds and Mitigations This issue can be completely mitigated by enabling custom certificate authentication between Panorama and managed firewalls. See https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-authentication-using-custom-certificates.html This issue impacts the management web interface of appliances running PAN-OS software and is strongly mitigated by following best practices for securing the interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https://docs.paloaltonetworks.com/best-practices Acknowledgments This issue was found by Ben Nott of Palo Alto Networks during internal security review. Timeline 2020-11-11 Initial publication ______________________________________________________________________ CVE-2020-2000 PAN-OS: OS command injection and memory corruption vulnerability Severity 7.2 · HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-11-11 Updated 2020-11-13 Reference PAN-149822, PAN-150013 and PAN-150170 Discovered internally Description An OS command injection and memory corruption vulnerability in the PAN-OS management web interface that allows authenticated administrators to disrupt system processes and potentially execute arbitrary code and OS commands with root privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.4 >= 9.1.4 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 < 8.1.16 >= 8.1.16 Severity: HIGH CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-20 Improper Input Validation CWE-78 OS Command Injection CWE-121 Stack-based Buffer Overflow Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions. Workarounds and Mitigations Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59888, and 59891 on a firewall protecting the management interface will block attacks against CVE-2020-2000. This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Timeline 2020-11-13 Added a new workaround 2020-11-11 Initial publication _____________________________________________________________________ CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted packets Severity 5.3 · MEDIUM Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact NONE Integrity Impact LOW Availability Impact NONE NVD JSON Published 2020-11-11 Updated 2020-11-13 Reference PAN-145133 Discovered internally Description A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets. This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features. This issue impacts: PAN-OS 8.1 versions earlier than 8.1.17; PAN-OS 9.0 versions earlier than 9.0.11; PAN-OS 9.1 versions earlier than 9.1.5; All versions of PAN-OS 7.1 and PAN-OS 8.0. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 < 9.1.5 >= 9.1.5 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 PAN-OS 8.0 8.0.* PAN-OS 7.1 7.1.* Severity: MEDIUM CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-754 Improper Check for Unusual or Exceptional Conditions Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions. Workarounds and Mitigations There are no known workarounds for this issue. Acknowledgments This issue was found by Vijay Prakash of Palo Alto Networks during internal security review. Timeline 2020-11-11 Initial publication _____________________________________________________________________ CVE-2020-2048 PAN-OS: System proxy passwords may be logged in clear text while viewing system state 047910 Severity 3.3 · LOW Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published 2020-11-11 Updated 2020-11-11 Reference PAN-140157 Discovered in production use Description An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.2. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 < 9.1.2 >= 9.1.2 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is only applicable when a system proxy server is configured on the firewall. You can verify this in the management web interface: Setup -> Services -> Proxy Server. Severity: LOW CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-532 Information Exposure Through Log Files Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.2, and all later PAN-OS versions. Workarounds and Mitigations This issue impacts the management web interface. You can mitigate the impact of this issue by following best practices for securing the interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/best-practices. Acknowledgments This issue was found by a customer of Palo Alto Networks during internal security review. Timeline 2020-11-11 Initial publication ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================