Palo Alto Networks remediated vulnerabilities in PAN-OS (operating systems version 8.1 or later).
Attackers can use these vulnerabilities to gain access to sensitive data or develop the attack to gain access to the internal segments of the network of a company that uses vulnerable protection tools.
Vulnerability CVE-2020-2037 (Сommand Injection) has a score of 7.2. It allows executing arbitrary OS commands in the firewall. The attack requires authorization in the software data management web interface. After that, attackers can access a special firewall section, place malicious code in one of the web forms, and obtain maximum privileges in the OS.
“We performed black-box testing of the NGFW management web interface to detect this vulnerability, which results from the lack of user input sanitization. During a real attack, hackers can, for example, bruteforce the password for the administrator panel, perform RCE, and gain access to the Palo Alto product, as well as the company’s internal network,” said Mikhail Klyuchnikov, researcher at Positive Technologies.
“The administrator panel may be located both inside and outside the corporate network, whichever is more convenient for the admins. But, of course, for security reasons, it’s better to have it inside. And therefore, such attacks may be conducted both from the internal and external networks.”
The second vulnerability, CVE-2020-2036 (XSS), has a score of 8.8. If a potential victim authorizes in the administrator panel and clicks a specially crafted malicious link, attackers will be able to perform any actions on behalf of this user in the context of the Palo Alto application, spoof pages, and develop attacks.
The attack can be conducted from the Internet, but if the administrator panel is located inside, attackers will have to know its address inside the network.
One more vulnerability, CVE-2020-2038, with a score of 7.2 was detected in the PAN-OS software interface. It extends the set of system commands enabling a variety of potential attacks (as the first vulnerability, it is Command Injection).
By default, when working with this interface, there are restrictions on the system command call. The exception is some basic commands (such as ping); however, attackers can inject any OS commands using insufficient filtering of user data. Attackers having the API key or user data for its generation can run arbitrary system commands with maximum privileges.
Finally, the fourth vulnerability (CVE-2020-2039, score 5.3) allows an unauthorized user to upload arbitrary files of any size to a certain directory on the server, which might lead to denial of service. To exploit this vulnerability, attackers can upload an unlimited number of files of various sizes, which may completely deplete free space in the system making the administrator panel unavailable.