Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2020-2034 — PAN-OS: OS command injection vulnerability in GlobalProtect portal

Disclosure Date: July 08, 2020
CVE-2020-2034 CVSS v3 Base Score: 8.1
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.

Add Assessment

CVSS V3 Severity and Metrics
Base Score:
8.1 High
Impact Score:
5.9
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
remote
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
PAN-OS 9.1.3
PAN-OS 9.1.3
PAN-OS 9.0.9
PAN-OS 9.0.9
PAN-OS 8.1.15
PAN-OS 8.1.15
PAN-OS 8.0.*
PAN-OS 7.1.*
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Palo Alto Networks

Products

  • PAN-OS

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis

On July 8, 2020, Palo Alto Networks published details on an OS command injection vulnerability in their PAN-OS GlobalProtect portal. The vulnerability allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges and carries a CVSSv3 base score of 8.1. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. According to the advisory, this issue cannot be exploited if the GlobalProtect portal feature is not enabled.

Affected products include:

  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  • All versions of PAN-OS 8.0 and PAN-OS 7.1

Palo Alto Networks’s advisory notes that Prisma Access services and firewalls upgraded to the latest version of PAN-OS to resolve CVE-2020-2021 are not impacted by this vulnerability.

Rapid7 Analysis: Rapid7’s Project Sonar has identified just shy of 50,000 vulnerable PAN-OS instances on the public internet. At time of writing, there were no public proofs-of-concept for CVE-2020-2034, and Palo Alto Networks underlined that they are unaware of any active exploitation. Nevertheless, June 29’s publication of CVE-2020-2021 (a vulnerability in signature verification in PAN-OS’s SAML authentication that carried a CVSSv3 base score of 10) brought increased scrutiny to PAN-OS—which in turn increases the likelihood of exploitation by both APT and commodity threat actors, regardless of whether that exploitation has thus far been detected.

A Bishop Fox security researcher published a scanning tool to identify GlobalProtect portal instances and determine their underlying versions of PAN-OS.

Guidance: Palo Alto Networks customers should update to an unaffected version of PAN-OS as soon as is practical.