Palo Alto Networks Security Advisories / CVE-2020-1999

CVE-2020-1999 PAN-OS: Threat signatures are evaded by specifically crafted packets

047910
Severity 5.3 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact LOW
Availability Impact NONE

Description

A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets.

This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features.

This issue impacts:

PAN-OS 8.1 versions earlier than 8.1.17;

PAN-OS 9.0 versions earlier than 9.0.11;

PAN-OS 9.1 versions earlier than 9.1.5;

All versions of PAN-OS 7.1 and PAN-OS 8.0.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.0None10.0.*
PAN-OS 9.1< 9.1.5>= 9.1.5
PAN-OS 9.0< 9.0.11>= 9.0.11
PAN-OS 8.1< 8.1.17>= 8.1.17
PAN-OS 8.08.0.*
PAN-OS 7.17.1.*

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-754 Improper Check for Unusual or Exceptional Conditions

Solution

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

This issue was found by Vijay Prakash of Palo Alto Networks during internal security review.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.