On July 8, 2020, Palo Alto Networks published details on an OS command injection vulnerability in their PAN-OS GlobalProtect portal. The vulnerability allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges and carries a CVSSv3 base score of 8.1. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. According to the advisory, this issue cannot be exploited if the GlobalProtect portal feature is not enabled.

Affected products include:

• PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
  
• PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  
• PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  
• All versions of PAN-OS 8.0 and PAN-OS 7.1
  

Palo Alto Networks’s advisory notes that Prisma Access services and firewalls upgraded to the latest version of PAN-OS to resolve CVE-2020-2021 are not impacted by this vulnerability.

Rapid7 Analysis: Rapid7’s Project Sonar has identified just shy of 50,000 vulnerable PAN-OS instances on the public internet. At time of writing, there were no public proofs-of-concept for CVE-2020-2034, and Palo Alto Networks underlined that they are unaware of any active exploitation. Nevertheless, June 29’s publication of CVE-2020-2021 (a vulnerability in signature verification in PAN-OS’s SAML authentication that carried a CVSSv3 base score of 10) brought increased scrutiny to PAN-OS—which in turn increases the likelihood of exploitation by both APT and commodity threat actors, regardless of whether that exploitation has thus far been detected.

A Bishop Fox security researcher published a scanning tool to identify GlobalProtect portal instances and determine their underlying versions of PAN-OS.

Guidance: Palo Alto Networks customers should update to an unaffected version of PAN-OS as soon as is practical.