Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4020.3 Multiple Palo Alto Networks Security Advisories 20 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Publisher: Palo Alto Operating System: Network Appliance Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Existing Account Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-2050 CVE-2020-2048 CVE-2020-2022 CVE-2020-2000 CVE-2020-1999 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2020-1999 https://securityadvisories.paloaltonetworks.com/CVE-2020-2000 https://securityadvisories.paloaltonetworks.com/CVE-2020-2022 https://securityadvisories.paloaltonetworks.com/CVE-2020-2048 https://securityadvisories.paloaltonetworks.com/CVE-2020-2050 Comment: This bulletin contains five (5) Palo Alto security advisories. Revision History: November 20 2020: Vendor updated advisory relating to CVE-2020-2050 November 13 2020: Vendor updated advisories relating to CVE-2020-1999, CVE-2020-2000, CVE-2020-2050 November 12 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2020-1999 CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted packets 047910 Severity 5.3 . MEDIUM Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact NONE Integrity Impact LOW Availability Impact NONE NVD JSON Published 2020-11-11 Updated 2020-11-13 Reference PAN-145133 Discovered internally Description A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets. This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features. This issue impacts: PAN-OS 8.1 versions earlier than 8.1.17; PAN-OS 9.0 versions earlier than 9.0.11; PAN-OS 9.1 versions earlier than 9.1.5; All versions of PAN-OS 7.1 and PAN-OS 8.0. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 < 9.1.5 >= 9.1.5 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 PAN-OS 8.0 8.0.* PAN-OS 7.1 7.1.* Severity: MEDIUM CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-754 Improper Check for Unusual or Exceptional Conditions Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions. Workarounds and Mitigations There are no known workarounds for this issue. Acknowledgments This issue was found by Vijay Prakash of Palo Alto Networks during internal security review. Timeline 2020-11-11 Initial publication - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2020-2000 CVE-2020-2000 PAN-OS: OS command injection and memory corruption vulnerability 047910 Severity 7.2 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-11-11 Updated 2020-11-13 Reference PAN-149822, PAN-150013 and PAN-150170 Discovered internally Description An OS command injection and memory corruption vulnerability in the PAN-OS management web interface that allows authenticated administrators to disrupt system processes and potentially execute arbitrary code and OS commands with root privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.4 >= 9.1.4 PAN-OS 9.0 < 9.0.10 >= 9.0.10 PAN-OS 8.1 < 8.1.16 >= 8.1.16 Severity: HIGH CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-20 Improper Input Validation CWE-78 OS Command Injection CWE-121 Stack-based Buffer Overflow Solution This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions. Workarounds and Mitigations Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59888, and 59891 on a firewall protecting the management interface will block attacks against CVE-2020-2000. This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/ best-practices. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Timeline 2020-11-13 Added a new workaround 2020-11-11 Initial publication - -------------------------------------------------------------------------------- CVE-2020-2022 PAN-OS: Panorama session disclosure during context switch into managed device 047910 Severity 7.5 . HIGH Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-11-11 Updated 2020-11-11 Reference PAN-125218 Discovered internally Description An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This vulnerability allows an attacker to gain privileged access to the Panorama web interface. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 < 9.1.5 >= 9.1.5 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is not applicable when custom certificate authentication is enabled between Panorama and managed firewalls. See https://docs.paloaltonetworks.com/ panorama/10-0/panorama-admin/set-up-panorama/ set-up-authentication-using-custom-certificates.html Severity: HIGH CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-200 Information Exposure Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions. Workarounds and Mitigations This issue can be completely mitigated by enabling custom certificate authentication between Panorama and managed firewalls. See https:// docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/ set-up-authentication-using-custom-certificates.html This issue impacts the management web interface of appliances running PAN-OS software and is strongly mitigated by following best practices for securing the interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https:// docs.paloaltonetworks.com/best-practices Acknowledgments This issue was found by Ben Nott of Palo Alto Networks during internal security review. Timeline 2020-11-11 Initial publication - -------------------------------------------------------------------------------- CVE-2020-2048 PAN-OS: System proxy passwords may be logged in clear text while viewing system state 047910 Severity 3.3 . LOW Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published 2020-11-11 Updated 2020-11-11 Reference PAN-140157 Discovered in production use Description An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.2. Product Status Versions Affected Unaffected PAN-OS 10.0 None 10.0.* PAN-OS 9.1 < 9.1.2 >= 9.1.2 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is only applicable when a system proxy server is configured on the firewall. You can verify this in the management web interface: Setup -> Services -> Proxy Server. Severity: LOW CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-532 Information Exposure Through Log Files Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.2, and all later PAN-OS versions. Workarounds and Mitigations This issue impacts the management web interface. You can mitigate the impact of this issue by following best practices for securing the interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/ best-practices. Acknowledgments This issue was found by a customer of Palo Alto Networks during internal security review. Timeline 2020-11-11 Initial publication - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2020-2050 CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification 047910 Severity 8.2 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact LOW Availability Impact NONE NVD JSON Published 2020-11-11 Updated 2020-11-19 Reference PAN-146650 Discovered internally Description An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication. Impacted features that use SSL VPN with client certificate verification are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, GlobalProtect Large Scale VPN In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Product Status Versions Affected Unaffected PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.5 >= 9.1.5 PAN-OS 9.0 < 9.0.11 >= 9.0.11 PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is only applicable to PAN-OS appliances using the GlobalProtect VPN, gateway, or portal configured to allow users to authenticate with client certificate authentication. This issue can not be exploited if client certificate authentication is not in use. Other forms of authentication are not impacted by this issue. Severity: HIGH CVSSv3.1 Base Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-285 Improper Authorization Solution This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions. Workarounds and Mitigations Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59884 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2050. This issue can be mitigated by configuring GlobalProtect to require users to authenticate with their credentials. Other authentication methods are not impacted by this issue. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Frequently Asked Questions Q. Is this a remote code execution (RCE)? No. This is not a remote code execution vulnerability. Q. Has this been exploited in the wild? No evidence of active exploitation has been identified as of this time. This issue was proactively found and fixed by Palo Alto Networks. Q. Is IPSec based VPN vulnerable to this issue? IPSec based VPN is not impacted by this vulnerability. Q. Is GlobalProtect pre-logon feature affected by this issue? GlobalProtect pre-logon feature using client certificates for authentication is affected by this issue. Timeline 2020-11-19 Updated to mention LSVPN and IPSec based VPN is not affected. 2020-11-13 New workaround is available. 2020-11-11 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7b/0ONLKJtyKPYoAQj6iA/+LePVLbB/yq0TKRv7BCmk57zYqPSgAJNg sPhiAbc5KBsPvqBIIcM2kuC461Zl6Q4GbdTSkNWdZt0+j+O3hqK/lA9dElm/eEHG h4jEGvboF3z5YGrijsBGh2O0nU4LgERQVBpNJc6ssl2v5WkZ4H4JR+gdIaWlcdh4 lBtQPf/kKrNqnyZVenmPAATTIr6WlH1lAUR37mp5sUMusHZ2lgNhnqXj/hA6eW7j mFyHNjCTUEcvnkIl80WqLG+dV0lAQf+6Ansi8It6x5MTtVNHqdAB/ntqqnNGYRMs nuthfYSDG4pbyZsVAHND80pl319DPWzdhetYtEzIm1LMVigqvOogyBlrq6JsTP4/ MAanN3k91Q+5cMQ0a28TSO5x43haaMISRMjkcAmcd7mz0DehE4A4m+lFnzv5XeHR tHWrdhyizMVdgPxyVrC4sRLzqrnLvvYZ6bKHnnbHfsjwthtNh16/zhuTB46XGGAt kxFK4oAisIb5pBc6f0xMWruQ6PRTTeiDk84mctyAT/7iuB7MyUsHpdf5XBdi82Ul KA2Dhjv6Y19HDuyDZvmcER2q+UQ+wwhzikcktUo72oN1Xi1ugLwETKujGUki0wO4 GL3rA+qabdFaIxBoTpFVOsXM3v5oDtouGzxMp4ukTLBaS1+DpxillK/Bo/kFvwoZ j1o5h5A700A= =mJmp -----END PGP SIGNATURE-----