-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.4020.3
              Multiple Palo Alto Networks Security Advisories
                             20 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PAN-OS
Publisher:         Palo Alto
Operating System:  Network Appliance
Impact/Access:     Root Compromise                 -- Existing Account      
                   Execute Arbitrary Code/Commands -- Existing Account      
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Existing Account      
                   Unauthorised Access             -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
                   Access Confidential Data        -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-2050 CVE-2020-2048 CVE-2020-2022
                   CVE-2020-2000 CVE-2020-1999 

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2020-1999
   https://securityadvisories.paloaltonetworks.com/CVE-2020-2000
   https://securityadvisories.paloaltonetworks.com/CVE-2020-2022
   https://securityadvisories.paloaltonetworks.com/CVE-2020-2048
   https://securityadvisories.paloaltonetworks.com/CVE-2020-2050

Comment: This bulletin contains five (5) Palo Alto security advisories.

Revision History:  November 20 2020: Vendor updated advisory relating to CVE-2020-2050
                   November 13 2020: Vendor updated advisories relating to CVE-2020-1999, CVE-2020-2000, CVE-2020-2050
                   November 12 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2020-1999

CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted
packets

047910
Severity 5.3 . MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact LOW
Availability Impact NONE
NVD JSON     
Published 2020-11-11
Updated 2020-11-13
Reference PAN-145133
Discovered internally

Description

A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat
detection engine that allows an attacker to evade threat prevention signatures
using specifically crafted TCP packets.

This CVE has no impact on the confidentiality and availability of PAN-OS. This
issue does not let an attacker access resources blocked by firewall policies
and it has no impact on the service availability. There could be an impact on
the accuracy of firewall threat prevention with some signatures, but there is
no impact on the integrity of other security features.

This issue impacts:

PAN-OS 8.1 versions earlier than 8.1.17;

PAN-OS 9.0 versions earlier than 9.0.11;

PAN-OS 9.1 versions earlier than 9.1.5;

All versions of PAN-OS 7.1 and PAN-OS 8.0.

Product Status

  Versions   Affected Unaffected
PAN-OS 10.0  None     10.0.*
PAN-OS 9.1   < 9.1.5  >= 9.1.5
PAN-OS 9.0   < 9.0.11 >= 9.0.11
PAN-OS 8.1   < 8.1.17 >= 8.1.17
PAN-OS 8.0   8.0.*
PAN-OS 7.1   7.1.*

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-754 Improper Check for Unusual or Exceptional Conditions

Solution

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all
later PAN-OS versions.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

This issue was found by Vijay Prakash of Palo Alto Networks during internal
security review.

Timeline

2020-11-11 Initial publication


- --------------------------------------------------------------------------------


Palo Alto Networks Security Advisories / CVE-2020-2000

CVE-2020-2000 PAN-OS: OS command injection and memory corruption vulnerability

047910
Severity 7.2 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON     
Published 2020-11-11
Updated 2020-11-13
Reference PAN-149822, PAN-150013 and PAN-150170
Discovered internally

Description

An OS command injection and memory corruption vulnerability in the PAN-OS
management web interface that allows authenticated administrators to disrupt
system processes and potentially execute arbitrary code and OS commands with
root privileges.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.16;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.10;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.4;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Product Status

  Versions   Affected Unaffected
PAN-OS 10.0  < 10.0.1 >= 10.0.1
PAN-OS 9.1   < 9.1.4  >= 9.1.4
PAN-OS 9.0   < 9.0.10 >= 9.0.10
PAN-OS 8.1   < 8.1.16 >= 8.1.16

Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-20 Improper Input Validation

CWE-78 OS Command Injection

CWE-121 Stack-based Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS
10.0.1, and all later PAN-OS versions.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures for
Unique Threat ID 59888, and 59891 on a firewall protecting the management
interface will block attacks against CVE-2020-2000.

This issue impacts the PAN-OS management web interface but you can mitigate the
impact of this issue by following best practices for securing the interface.
Please review the Best Practices for Securing Administrative Access in the
PAN-OS technical documentation, available at https://docs.paloaltonetworks.com/
best-practices.

Acknowledgments

This issue was found by Nicholas Newsom of Palo Alto Networks during internal
security review.

Timeline

2020-11-13 Added a new workaround
2020-11-11 Initial publication


- --------------------------------------------------------------------------------


CVE-2020-2022 PAN-OS: Panorama session disclosure during context switch into
managed device

047910
Severity 7.5 . HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON     
Published 2020-11-11
Updated 2020-11-11
Reference PAN-125218
Discovered internally

Description

An information exposure vulnerability exists in Palo Alto Networks Panorama
software that discloses the token for the Panorama web interface
administrator's session to a managed device when the Panorama administrator
performs a context switch into that device. This vulnerability allows an
attacker to gain privileged access to the Panorama web interface. An attacker
requires some knowledge of managed firewalls to exploit this issue.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.17;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.11;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.

Product Status

  Versions   Affected Unaffected
PAN-OS 10.0  None     10.0.*
PAN-OS 9.1   < 9.1.5  >= 9.1.5
PAN-OS 9.0   < 9.0.11 >= 9.0.11
PAN-OS 8.1   < 8.1.17 >= 8.1.17

Required Configuration for Exposure

This issue is not applicable when custom certificate authentication is enabled
between Panorama and managed firewalls. See https://docs.paloaltonetworks.com/
panorama/10-0/panorama-admin/set-up-panorama/
set-up-authentication-using-custom-certificates.html

Severity: HIGH

CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-200 Information Exposure

Solution

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all
later PAN-OS versions.

Workarounds and Mitigations

This issue can be completely mitigated by enabling custom certificate
authentication between Panorama and managed firewalls. See https://
docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/
set-up-authentication-using-custom-certificates.html

This issue impacts the management web interface of appliances running PAN-OS
software and is strongly mitigated by following best practices for securing the
interface. Please review the Best Practices for Securing Administrative Access
in the PAN-OS technical documentation, available at: https://
docs.paloaltonetworks.com/best-practices

Acknowledgments

This issue was found by Ben Nott of Palo Alto Networks during internal security
review.

Timeline

2020-11-11 Initial publication


- --------------------------------------------------------------------------------


CVE-2020-2048 PAN-OS: System proxy passwords may be logged in clear text while
viewing system state

047910
Severity 3.3 . LOW
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE
NVD JSON     
Published 2020-11-11
Updated 2020-11-11
Reference PAN-140157
Discovered in production use

Description

An information exposure through log file vulnerability exists where the
password for the configured system proxy server for a PAN-OS appliance may be
displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS
software.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.17;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.11;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.2.

Product Status

  Versions   Affected Unaffected
PAN-OS 10.0  None     10.0.*
PAN-OS 9.1   < 9.1.2  >= 9.1.2
PAN-OS 9.0   < 9.0.11 >= 9.0.11
PAN-OS 8.1   < 8.1.17 >= 8.1.17

Required Configuration for Exposure

This issue is only applicable when a system proxy server is configured on the
firewall. You can verify this in the management web interface: Setup ->
Services -> Proxy Server.

Severity: LOW

CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-532 Information Exposure Through Log Files

Solution

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.2, and all
later PAN-OS versions.

Workarounds and Mitigations

This issue impacts the management web interface. You can mitigate the impact of
this issue by following best practices for securing the interface. Please
review the Best Practices for Securing Administrative Access in the PAN-OS
technical documentation, available at https://docs.paloaltonetworks.com/
best-practices.

Acknowledgments

This issue was found by a customer of Palo Alto Networks during internal
security review.

Timeline

2020-11-11 Initial publication


- --------------------------------------------------------------------------------


Palo Alto Networks Security Advisories / CVE-2020-2050

CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect
client certificate verification

047910
Severity 8.2 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact LOW
Availability Impact NONE
NVD JSON     
Published 2020-11-11
Updated 2020-11-19
Reference PAN-146650
Discovered internally

Description

An authentication bypass vulnerability exists in the GlobalProtect SSL VPN
component of Palo Alto Networks PAN-OS software that allows an attacker to
bypass all client certificate checks with an invalid certificate. A remote
attacker can successfully authenticate as any user and gain access to
restricted VPN network resources when the gateway or portal is configured to
rely entirely on certificate-based authentication.

Impacted features that use SSL VPN with client certificate verification are:

GlobalProtect Gateway,
GlobalProtect Portal,
GlobalProtect Clientless VPN,
GlobalProtect Large Scale VPN

In configurations where client certificate verification is used in conjunction
with other authentication methods, the protections added by the certificate
check are ignored as a result of this issue.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.17;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.11;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.5;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Product Status

  Versions   Affected Unaffected
PAN-OS 10.0  < 10.0.1 >= 10.0.1
PAN-OS 9.1   < 9.1.5  >= 9.1.5
PAN-OS 9.0   < 9.0.11 >= 9.0.11
PAN-OS 8.1   < 8.1.17 >= 8.1.17

Required Configuration for Exposure

This issue is only applicable to PAN-OS appliances using the GlobalProtect VPN,
gateway, or portal configured to allow users to authenticate with client
certificate authentication.

This issue can not be exploited if client certificate authentication is not in
use.

Other forms of authentication are not impacted by this issue.

Severity: HIGH

CVSSv3.1 Base Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-285 Improper Authorization

Solution

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS
10.0.1, and all later PAN-OS versions.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures for
Unique Threat ID 59884 on traffic destined for the GlobalProtect portal,
gateway, or VPN will block attacks against CVE-2020-2050.

This issue can be mitigated by configuring GlobalProtect to require users to
authenticate with their credentials. Other authentication methods are not
impacted by this issue.

Acknowledgments

This issue was found by Nicholas Newsom of Palo Alto Networks during internal
security review.

Frequently Asked Questions

Q. Is this a remote code execution (RCE)?

    No. This is not a remote code execution vulnerability.

Q. Has this been exploited in the wild?

    No evidence of active exploitation has been identified as of this time.
    This issue was proactively found and fixed by Palo Alto Networks.

Q. Is IPSec based VPN vulnerable to this issue?

    IPSec based VPN is not impacted by this vulnerability.

Q. Is GlobalProtect pre-logon feature affected by this issue?

    GlobalProtect pre-logon feature using client certificates for
    authentication is affected by this issue.

Timeline

2020-11-19 Updated to mention LSVPN and IPSec based VPN is not affected.
2020-11-13 New workaround is available.
2020-11-11 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7b/0ONLKJtyKPYoAQj6iA/+LePVLbB/yq0TKRv7BCmk57zYqPSgAJNg
sPhiAbc5KBsPvqBIIcM2kuC461Zl6Q4GbdTSkNWdZt0+j+O3hqK/lA9dElm/eEHG
h4jEGvboF3z5YGrijsBGh2O0nU4LgERQVBpNJc6ssl2v5WkZ4H4JR+gdIaWlcdh4
lBtQPf/kKrNqnyZVenmPAATTIr6WlH1lAUR37mp5sUMusHZ2lgNhnqXj/hA6eW7j
mFyHNjCTUEcvnkIl80WqLG+dV0lAQf+6Ansi8It6x5MTtVNHqdAB/ntqqnNGYRMs
nuthfYSDG4pbyZsVAHND80pl319DPWzdhetYtEzIm1LMVigqvOogyBlrq6JsTP4/
MAanN3k91Q+5cMQ0a28TSO5x43haaMISRMjkcAmcd7mz0DehE4A4m+lFnzv5XeHR
tHWrdhyizMVdgPxyVrC4sRLzqrnLvvYZ6bKHnnbHfsjwthtNh16/zhuTB46XGGAt
kxFK4oAisIb5pBc6f0xMWruQ6PRTTeiDk84mctyAT/7iuB7MyUsHpdf5XBdi82Ul
KA2Dhjv6Y19HDuyDZvmcER2q+UQ+wwhzikcktUo72oN1Xi1ugLwETKujGUki0wO4
GL3rA+qabdFaIxBoTpFVOsXM3v5oDtouGzxMp4ukTLBaS1+DpxillK/Bo/kFvwoZ
j1o5h5A700A=
=mJmp
-----END PGP SIGNATURE-----