Palo Alto Networks Patches 6 Firewall VulnerabilitiesPositive Technologies Describes the Risks Posed by Flaws
The security firm Positive Technologies discovered four vulnerabilities in Palo Alto Networks' PAN-OS, the software that runs the company's next-generation firewalls. The firewall developer has issued patches for these as well as several others.
Three flaws are rated as "high severity," while one is rated as "medium" and the other two are less severe, according to the Positive Technologies report.
Palo Alto Networks has confirmed the flaws and published patches. It's recommending users apply the patches as soon as possible.
If left unpatched, "attackers can use these vulnerabilities to gain access to sensitive data or develop the attack to gain access to the internal segments of the network of a company that uses vulnerable protection tools," according to the authors of the report: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies.
The vulnerabilities can be leveraged to obtain maximum privileges in the operating system, enabling a hacker to perform any action with administrator-level authority within the Palo Alto application, such as running arbitrary system commands, or create a denial-of-service situation, the report states.
"The security of our customers is our top priority. We want to thank the researchers for alerting us and sharing their findings. We took immediate steps toward fixing the issues and published security advisories," a Palo Alto Networks spokesperson tells Information Security Media Group.
The three "high severity" vulnerabilities included in the report are:
- CVE-2020-2037, a command injection vulnerability with a CVSS score of 7.2. It could allow for executing arbitrary OS commands in the firewall. To take advantage of this flaw, an attacker would need to obtain authorization in the software data management web interface. After that, attackers could access a special firewall section, place malicious code in one of the web forms and obtain maximum privileges in the OS.
- CVE-2020-2038, an OS command injection vulnerability with a score of 7.2. The vulnerability was detected in the PAN-OS software interface. It extends the set of system commands, enabling a variety of potential attacks.
The flaw rated a "medium" risk is CVE-2020-2039, which the researchers found could allow an unauthorized user to upload arbitrary files of any size to a certain directory on the firewall server that could lead to a denial-of-service attack. To exploit this vulnerability, attackers can upload an unlimited number of files of various sizes, which may completely deplete free space in the system making the administrator panel unavailable and vulnerable to attack, according to the report.
Additional PAN-OS Issues
Positive Technologies researchers also discovered two other less significant flaws in PAN-OS.
CVE-2020-2040 could allow hackers to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the captive portal or multifactor authentication interface. This vulnerability impacts all versions of PAN-OS 8.0.
CVE-2020-2041 is an insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 that could allow a remote unauthenticated user to send a request to a device that causes the service to crash.
In June, Palo Alto Networks published an alert that warned of a "critical" vulnerability in the PAN-OS software that could allow remote attackers to bypass authentication and execute arbitrary code on vulnerable systems, paving the way for a full compromise of an organization's network and systems. A patch is available.
The June alert from Palo Alto Networks also drew notice from U.S. Cyber Command, which issued its own warning to U.S. companies (see: US Cyber Command Alert: Patch Palo Alto Networks Products).