Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3116
CVE-2020-2041 PAN-OS: Management web interface denial-of-service (DoS)
10 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PAN-OS
Publisher: Palo Alto
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2041
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/CVE-2020-2041
- --------------------------BEGIN INCLUDED TEXT--------------------
Palo Alto Networks Security Advisories / CVE-2020-2041
CVE-2020-2041 PAN-OS: Management web interface denial-of-service (DoS)
047910
Severity 7.5 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH
NVD JSON
Published 2020-09-09
Updated 2020-09-09
Reference PAN-151978
Discovered internally
Description
An insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1
allows a remote unauthenticated user to send a specifically crafted request to
the device that causes the appweb service to crash. Repeated attempts to send
this request result in denial of service to all PAN-OS services by restarting
the device and putting it into maintenance mode.
This issue impacts all versions of PAN-OS 8.0, and PAN-OS 8.1 versions earlier
than 8.1.16.
Product Status
Versions Affected Unaffected
PAN-OS 10.0 None 10.0.*
PAN-OS 9.1 None 9.1.*
PAN-OS 9.0 None 9.0.*
PAN-OS 8.1 < 8.1.16 >= 8.1.16
PAN-OS 8.0 8.0.*
Severity: HIGH
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness Type
CWE-16 Configuration
Solution
This issue is fixed in PAN-OS 8.1.16 and all later PAN-OS versions.
PAN-OS 7.1 and PAN-OS 8.0 are end-of-life and are no longer covered by our
Product Security Assurance policies.
Workarounds and Mitigations
This issue impacts the management web interface of PAN-OS. You can mitigate the
impact of this issue by following best practices for securing the PAN-OS
management web interface. Please review the Best Practices for Securing
Administrative Access in the PAN-OS technical documentation, available at
https://docs.paloaltonetworks.com/best-practices.
Acknowledgments
This issue was found by Nicholas Newsom of Palo Alto Networks during internal
security review.
Timeline
2020-09-09 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX1nBt+NLKJtyKPYoAQj34g//YJz8PtIbc2Oglx3FiBIYFwajq00Duwxp
7OypWPj3o9KbSpT2v5R8VdKyuwhQoFfxlfCDyMW6o+n+o1sCKoZGfUKQmjWwWIfS
xcn4D1DPSKzO4lS5N73MH7VPiBeNsN8xQDW6ToWyL4KsSGzF51px5Nqp8QMaW7v3
XY+f9ahN203OSBMWnpVdRuusO3yZ5vjc+fjRKwat1Vf/lwvxS2TzibvKRv6hYg3Y
n1+EWErAZ7MVL2PnV6ix9lmBfVW84e3zxfupkT1FmfcKODxGA1s7HYDo8IuMcQ5y
9YG0EqGKF/njVOQABWnwKwC6tEZ4I9VTEWB1wVva0t28UjFpyoWFFrz0cFWotHZ4
xpcxAUxD0Cs9DZ8NGaJPfSSPD8CHCty376zZFMKCn0g05jnYZw0yV/rw2Oo7mDn9
dxz6xYt/MZxvWnn8gCIuPhh3dCIcxMfqv2XAgYv3fYJvB59DusYZnaLcIO6qEeow
vn0xiqWf0oeFimN/x7vHgrqIxsKtKVAM+2IY85MPtrJntfEHrkfiBtvmmLZY+z1e
IrWm9ZOxYHm37TL+ULhdqL3xC/D6ftm1kZHShTFGKART+r8FH61V7ppPi+do5g3b
Kq46OVUsQMRAM+xsF4MTphbuUHLx5F4h8H6Q7F5PyZNh1yPIqGxmrgl3PmA3AoUx
l7aF+W0FC6M=
=dsbk
-----END PGP SIGNATURE-----