Palo Alto Networks Security Advisories / CVE-2020-2040

CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.

This issue impacts:

All versions of PAN-OS 8.0;

PAN-OS 8.1 versions earlier than PAN-OS 8.1.15;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.9;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.

This issue does not impact the GlobalProtect VPN or the PAN-OS management web interfaces.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.0None>= 10.0.0
PAN-OS 9.1< 9.1.3>= 9.1.3
PAN-OS 9.0< 9.0.9>= 9.0.9
PAN-OS 8.1< 8.1.15>= 8.1.15
PAN-OS 8.08.0.*

Required Configuration for Exposure

This issue is applicable only where either Captive Portal is enabled or Multi-Factor Authentication (MFA) is configured as per https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/configure-multi-factor-authentication.html

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-120 Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.

All Prisma Access services are now upgraded to resolve this issue and are no longer vulnerable.

PAN-OS 7.1 and 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures in content update version 8317 will block attacks against CVE-2020-2040.

Acknowledgments

This issue was found by Yamata Li of Palo Alto Networks during internal security review.

Frequently Asked Questions

Q. Has this been exploited in the wild?

This issue was discovered during internal security review. No evidence of active exploitation has been identified as of this time.

Q. Are there any indicators of compromise or breach due to this vulnerability?

No.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.