CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted packets
Description
A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets.
This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features.
This issue impacts:
PAN-OS 8.1 versions earlier than 8.1.17;
PAN-OS 9.0 versions earlier than 9.0.11;
PAN-OS 9.1 versions earlier than 9.1.5;
All versions of PAN-OS 7.1 and PAN-OS 8.0.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 10.0 | None | 10.0.* |
| PAN-OS 9.1 | < 9.1.5 | >= 9.1.5 |
| PAN-OS 9.0 | < 9.0.11 | >= 9.0.11 |
| PAN-OS 8.1 | < 8.1.17 | >= 8.1.17 |
| PAN-OS 8.0 | 8.0.* | |
| PAN-OS 7.1 | 7.1.* |
Severity: MEDIUM
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-754 Improper Check for Unusual or Exceptional Conditions
Solution
This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions.
Workarounds and Mitigations
There are no known workarounds for this issue.