Palo Alto Networks Security Advisories / CVE-2020-1993

CVE-2020-1993 PAN-OS: GlobalProtect Portal PHP session fixation vulnerability

047910
Severity 3.7 · LOW
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required LOW
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

Description

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID.

This issue affects:

All PAN-OS 7.1 and 8.0 versions;

PAN-OS 8.1 versions earlier than 8.1.14;

PAN-OS 9.0 versions earlier than 9.0.8.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.1None>= 9.1.0
PAN-OS 9.0< 9.0.8>= 9.0.8
PAN-OS 8.1< 8.1.14>= 8.1.14
PAN-OS 8.08.0.*
PAN-OS 7.17.1.*

Severity: LOW

CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Weakness Type

CWE-384 Session Fixation

Solution

This issue is fixed in PAN-OS 8.1.14, PAN-OS 9.0.8, PAN-OS 9.1.0, and all later PAN-OS versions.

PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.

PAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

This issue was found by a customer.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.