Palo Alto Networks Security Advisories / CVE-2020-2005

CVE-2020-2005 PAN-OS: GlobalProtect Clientless VPN session hijacking

047910
Severity 7.1 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact LOW
Availability Impact NONE

Description

A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session.

This issue affects:

PAN-OS 7.1 versions earlier than 7.1.26;

PAN-OS 8.1 versions earlier than 8.1.13;

PAN-OS 9.0 versions earlier than 9.0.7;

All versions of PAN-OS 8.0.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0< 9.0.7>= 9.0.7
PAN-OS 8.1< 8.1.13>= 8.1.13
PAN-OS 8.08.0.*
PAN-OS 7.1< 7.1.26>= 7.1.26

Required Configuration for Exposure

This issue only affects firewalls configured with GlobalProtect Clientless VPN.

Severity: HIGH

CVSSv3.1 Base Score: 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

Weakness Type

CWE-79 Cross-site Scripting (XSS)

Solution

This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.

PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.

Workarounds and Mitigations

Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites.

Acknowledgments

This issue was discovered by Ron Masas of Palo Alto Networks during internal security review.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.