Palo Alto Networks (PAN) today addressed another severe vulnerability found in the PAN-OS GlobalProtect portal and affecting unpatched PAN next-generation firewalls.
On June 29, PAN also patched a critical vulnerability (CVE-2020-2021) with a 10/10 CVSSv3 rating, allowing unauthenticated network-based attackers to bypass authentication on PAN-OS devices with SAML auth enabled and the ‘Validate Identity Provider Certificate’ option disabled.
The OS command injection vulnerability patched today and tracked as CVE-2020-2034 allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges on unpatched devices.
The CVE-2020-2034 vulnerability has been rated as high severity with a CVSS 3.x base score of 8.1, and it can be exploited by threat actors with network access to vulnerable servers as part of high complexity attacks that don’t require user interaction.
Only affects devices with GlobalProtect portal enabled
“This issue can not be exploited if GlobalProtect portal feature is not enabled,” PAN’s security advisory explains. “Prisma Access services are not impacted by this vulnerability.”
The table embedded below includes the affected PAN-OS versions, as well as those that received patches from Palo Alto Networks to defend against potential attacks (the issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all newer versions.)
PAN-OS 7.1 and PAN-OS 8.0 are end-of-life and will not receive security updates to address this vulnerability.
The vulnerability was discovered by Yamata Li of Palo Alto Networks Threat Research Team during an internal security review.
Attackers need additional knowledge for exploitation
“An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue,” Palo Alto Networks’ security advisory reads.
While PAN does not explain what specific information the attackers are required to know about the vulnerable devices to successfully exploit the vulnerability, CTI League’s Nate Warfield said that this could imply that the attacks would need to be customized per device.
Usually it implies that the vuln isn’t easily wormable & that the attack would need to be customized per device.
Interesting that this isn’t considered a scope-change, since unauth from network -> root permissions usually IS S:C as network should be considered a boundary
— Nate W. | #BlackLivesMatter | #NoJusticeNoPeace (@n0x08) July 8, 2020
“Attack Complexity is somewhat vague, and ‘High’ complexity can mean different things based on what the vulnerability is, what the product is, and the complexity level the vendor assumes it to be for exploitation,” Warfield told BleepingComputer when asked to elaborate on the attacks being customized per device.
“Complexity low are vulnerabilities like MS17-010, SMBGhost, etc. that only need the device to be exposed for exploitation to be possible.
“Complexity high can be either ‘must tweak memory offsets in the POC based on the number of CPUs/memory’ or it could be something else so the metric is highly subjective.”
BleepingComputer has reached out to Palo Alto Networks for more details on what exact knowledge of the firewall the attackers would need to exploit the flaw, but had not heard back at the time of this publication.
Update 7/8/20: Updated article to include new information from Palo Alto’s updated advisory.