Palo Alto Networks told customers this week that it fixed more than two dozen vulnerabilities in PAN-OS, software that runs on the company’s next-generation firewalls.
One of the major drawbacks is the CVE-2020-2018, with a CVSS value of 9, which allows an attacker with access to the Panorama management system interface to gain privileged access to managed firewalls. This authentication process affects the pan context switching function and the manufacturer indicates that the operation requires some knowledge of managed firewalls.
Another potentially serious problem is the CVE-2020-2012, a highly secure XXE vulnerability that allows an external, unauthorized attacker with access to the Panorama interface to read random system files.
Another very reliable drawback, the CVE-2020-2011, allows an unauthorized remote intruder to invoke Denial of Service (DoS) status in all Panorama services by sending specially designed registration requests.
A serious XSS (cross-site scripting) vulnerability affecting GlobalProtect’s clientless VPN can allow an attacker to compromise a user session by forcing the user to visit a malicious website.
Some older vulnerabilities affecting the previous version of Nginx and included in PAN-OS can be exploited even without authentication, including some that are very serious.
The new versions of PAN-OS also fix highly secure vulnerabilities that can be used to increase privileges, execute shell commands or root-rights code, hack administrator accounts, launch XSS attacks, bypass authentication and delete files. However, in order to exploit these vulnerabilities, authentication is required or the attacker must be able to intercept the traffic.
One such drawback is the CVE-2020-2002, which has been described as a problem of authentication tradition in connection with the Kerberos Key Distribution Center (KDC) exchange. The vulnerability was discovered by Silverfort researchers who recently discovered a similar problem with the Cisco Adaptive Security Appliance (ASA).
One of the interesting vulnerabilities of intermediate servers is the CVE-2020-1996, which allows an unauthorized remote attacker to insert messages into the ms.log file of the management server.
This vulnerability can be used to confuse an ongoing attack or to create ms.log entries, Palo Alto Networks advises.
That’s what it looks like: CWN Critical Vulnerability in Palo Alto Networks VPN Product
That’s what it looks like: Vulnerabilities of the VPN for enterprises expose enterprises to hackers and espionage
That’s what it looks like: Critical vulnerabilities detected in the Palo Alto network security platform
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :
Keywords: palo alto vulnerability database,cve-2019-17437,palo alto vulnerability protection,cve-2019-1581,palo alto firewall,palo alto security advisories email alerts,palo alto support,cve-2019-1580