CVE-2020-2002 PAN-OS: Spoofed Kerberos key distribution center authentication bypass
Description
An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users. This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator.
This issue affects:
PAN-OS 7.1 versions earlier than 7.1.26;
PAN-OS 8.1 versions earlier than 8.1.13;
PAN-OS 9.0 versions earlier than 9.0.6;
All version of PAN-OS 8.0.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 9.0 | < 9.0.6 | >= 9.0.6 |
| PAN-OS 8.1 | < 8.1.13 | >= 8.1.13 |
| PAN-OS 8.0 | 8.0.* | |
| PAN-OS 7.1 | < 7.1.26 | >= 7.1.26 |
Severity: HIGH
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness Type
CWE-290 Authentication Bypass by Spoofing
Solution
This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.6, and all later PAN-OS versions.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Workarounds and Mitigations
Ensure that PAN-OS communicates to Kerberos server over a secured network with access restricted to trusted users.
Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https://docs.paloaltonetworks.com.