Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2020-2034 — PAN-OS: OS command injection vulnerability in GlobalProtect portal

Disclosure Date: July 08, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.

Add Assessment

General Information

Vendors

  • Palo Alto Networks

Products

  • PAN-OS

Additional Info

Technical Analysis

On July 8, 2020, Palo Alto Networks published details on an OS command injection vulnerability in their PAN-OS GlobalProtect portal. The vulnerability allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges and carries a CVSSv3 base score of 8.1. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. According to the advisory, this issue cannot be exploited if the GlobalProtect portal feature is not enabled.

Affected products include:

  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  • All versions of PAN-OS 8.0 and PAN-OS 7.1

Palo Alto Networks’s advisory notes that Prisma Access services and firewalls upgraded to the latest version of PAN-OS to resolve CVE-2020-2021 are not impacted by this vulnerability.

Rapid7 Analysis: Rapid7’s Project Sonar has identified just shy of 50,000 vulnerable PAN-OS instances on the public internet. At time of writing, there were no public proofs-of-concept for CVE-2020-2034, and Palo Alto Networks underlined that they are unaware of any active exploitation. Nevertheless, June 29’s publication of CVE-2020-2021 (a vulnerability in signature verification in PAN-OS’s SAML authentication that carried a CVSSv3 base score of 10) brought increased scrutiny to PAN-OS—which in turn increases the likelihood of exploitation by both APT and commodity threat actors, regardless of whether that exploitation has thus far been detected.

A Bishop Fox security researcher published a scanning tool to identify GlobalProtect portal instances and determine their underlying versions of PAN-OS.

Guidance: Palo Alto Networks customers should update to an unaffected version of PAN-OS as soon as is practical.