Palo Alto Networks Security Advisories / CVE-2020-2034

CVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal

047910
Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled.

This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.

Prisma Access services are not impacted by this vulnerability. Firewalls that were upgraded to the latest versions of PAN-OS to resolve CVE-2020-2021 are not vulnerable to this issue.

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Product Status

PAN-OS

VersionsAffectedUnaffected
9.1< 9.1.3>= 9.1.3
9.0< 9.0.9>= 9.0.9
8.1< 8.1.15>= 8.1.15
8.08.0.*
7.17.1.*

Required Configuration for Exposure

This issue is applicable only where GlobalProtect portal is enabled.

Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-78 OS Command Injection

Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.

PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and October 31, 2019 respectively) and are no longer covered by our Product Security Assurance policies.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 58658 on traffic destined for the GlobalProtect portal will block attacks against CVE-2020-2034.

Acknowledgments

This issue was found by Yamata Li of Palo Alto Networks during internal security review.

Timeline

Updated workaround section with Threat Prevention signature.
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.