Palo Alto Networks Security Advisories / CVE-2020-1993

CVE-2020-1993 PAN-OS: GlobalProtect Portal PHP session fixation vulnerability


047910
Severity 3.7 · LOW
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact LOW
Privileges Required LOW
Integrity Impact LOW
User Interaction REQUIRED
Availability Impact NONE

Description

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID.

This issue affects:

All PAN-OS 7.1 and 8.0 versions;

PAN-OS 8.1 versions earlier than 8.1.14;

PAN-OS 9.0 versions earlier than 9.0.8.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.1None>= 9.1.0
PAN-OS 9.0< 9.0.8>= 9.0.8
PAN-OS 8.1< 8.1.14>= 8.1.14
PAN-OS 8.08.0.*None
PAN-OS 7.17.1.*None

Severity: LOW

CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Weakness Type

CWE-384 Session Fixation

Solution

This issue is fixed in PAN-OS 8.1.14, PAN-OS 9.0.8, PAN-OS 9.1.0, and all later PAN-OS versions.

PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.

PAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

This issue was found by a customer.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.