Palo Alto Networks Security Advisories / CVE-2020-2001

CVE-2020-2001 PAN-OS: Panorama External control of file vulnerability leads to privilege escalation

047910
Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An external control of path and data vulnerability in the Palo Alto Networks PAN-OS Panorama XSLT processing logic that allows an unauthenticated user with network access to PAN-OS management interface to write attacker supplied file on the system and elevate privileges.

This issue affects:

All PAN-OS 7.1 Panorama and 8.0 Panorama versions;

PAN-OS 8.1 versions earlier than 8.1.12 on Panorama;

PAN-OS 9.0 versions earlier than 9.0.6 on Panorama.

Product Status

PAN-OS

VersionsAffectedUnaffected
9.0< 9.0.6>= 9.0.6
8.1< 8.1.12>= 8.1.12
8.08.0.*
7.17.1.*

Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-123 Write-what-where Condition

Solution

This issue is fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later PAN-OS versions.

PAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes.

PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.

Workarounds and Mitigations

Acknowledgments

This issue was found by Ben Nott of Palo Alto Networks during internal security review.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.