CVE-2020-2005 PAN-OS: GlobalProtect Clientless VPN session hijacking
Description
A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session.
This issue affects:
PAN-OS 7.1 versions earlier than 7.1.26;
PAN-OS 8.1 versions earlier than 8.1.13;
PAN-OS 9.0 versions earlier than 9.0.7;
All versions of PAN-OS 8.0.
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 9.0 | < 9.0.7 | >= 9.0.7 |
PAN-OS 8.1 | < 8.1.13 | >= 8.1.13 |
PAN-OS 8.0 | 8.0.* | None |
PAN-OS 7.1 | < 7.1.26 | >= 7.1.26 |
Required Configuration for Exposure
This issue only affects firewalls configured with GlobalProtect Clientless VPN.
Severity: HIGH
CVSSv3.1 Base Score: 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
Weakness Type
CWE-79 Cross-site Scripting (XSS)
Solution
This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Workarounds and Mitigations
Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites.