CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted packets
A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets.
This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features.
This issue impacts:
PAN-OS 8.1 versions earlier than 8.1.17;
PAN-OS 9.0 versions earlier than 9.0.11;
PAN-OS 9.1 versions earlier than 9.1.5;
All versions of PAN-OS 7.1 and PAN-OS 8.0.
|PAN-OS 9.1||< 9.1.5||>= 9.1.5|
|PAN-OS 9.0||< 9.0.11||>= 9.0.11|
|PAN-OS 8.1||< 8.1.17||>= 8.1.17|
CVSSv3.1 Base Score:5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions.
Workarounds and Mitigations
There are no known workarounds for this issue.