Governance & Risk Management , IT Risk Management , Network Firewalls, Network Access Control

Palo Alto Networks Patches 6 Firewall Vulnerabilities

Positive Technologies Describes the Risks Posed by Flaws
Palo Alto Networks Patches 6 Firewall Vulnerabilities

The security firm Positive Technologies discovered four vulnerabilities in Palo Alto Networks' PAN-OS, the software that runs the company’s next-generation firewalls. The firewall developer has issued patches for these as well as several others.

See Also: New Gartner® Report on Zero Trust Network Access

Three flaws are rated as "high severity," while one is rated as "medium" and the other two are less severe, according to the Positive Technologies report.

Palo Alto Networks has confirmed the flaws and published patches. It’s recommending users apply the patches as soon as possible.

If left unpatched, "attackers can use these vulnerabilities to gain access to sensitive data or develop the attack to gain access to the internal segments of the network of a company that uses vulnerable protection tools," according to the authors of the report: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies.

The vulnerabilities can be leveraged to obtain maximum privileges in the operating system, enabling a hacker to perform any action with administrator-level authority within the Palo Alto application, such as running arbitrary system commands, or create a denial-of-service situation, the report states.

"The security of our customers is our top priority. We want to thank the researchers for alerting us and sharing their findings. We took immediate steps toward fixing the issues and published security advisories," a Palo Alto Networks spokesperson tells Information Security Media Group.

Significant Vulnerabilities

The three "high severity" vulnerabilities included in the report are:

  • CVE-2020-2036, a reflected cross-site scripting issue with a CVSS score of 8.8. To take advantage of this flaw, an attacker would have to get an administrator with an active authenticated session on the firewall management interface to click on a specially crafted link. This could potentially allow for arbitrary JavaScript code execution in the administrator's browser and give a hacker administrative privileges. "The attack can be conducted from the internet, but if the administrator panel is located inside, attackers will have to know its address inside the network," the researchers say.
  • CVE-2020-2037, a command injection vulnerability with a CVSS score of 7.2. It could allow for executing arbitrary OS commands in the firewall. To take advantage of this flaw, an attacker would need to obtain authorization in the software data management web interface. After that, attackers could access a special firewall section, place malicious code in one of the web forms and obtain maximum privileges in the OS.
  • CVE-2020-2038, an OS command injection vulnerability with a score of 7.2. The vulnerability was detected in the PAN-OS software interface. It extends the set of system commands, enabling a variety of potential attacks.

The flaw rated a "medium" risk is CVE-2020-2039, which the researchers found could allow an unauthorized user to upload arbitrary files of any size to a certain directory on the firewall server that could lead to a denial-of-service attack. To exploit this vulnerability, attackers can upload an unlimited number of files of various sizes, which may completely deplete free space in the system making the administrator panel unavailable and vulnerable to attack, according to the report.

Additional PAN-OS Issues

Positive Technologies researchers also discovered two other less significant flaws in PAN-OS.

CVE-2020-2040 could allow hackers to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the captive portal or multifactor authentication interface. This vulnerability impacts all versions of PAN-OS 8.0.

CVE-2020-2041 is an insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 that could allow a remote unauthenticated user to send a request to a device that causes the service to crash.

Previous Problems

In June, Palo Alto Networks published an alert that warned of a "critical" vulnerability in the PAN-OS software that could allow remote attackers to bypass authentication and execute arbitrary code on vulnerable systems, paving the way for a full compromise of an organization's network and systems. A patch is available.

The June alert from Palo Alto Networks also drew notice from U.S. Cyber Command, which issued its own warning to U.S. companies (see: US Cyber Command Alert: Patch Palo Alto Networks Products).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.