CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled
Description
A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.
This issue impacts:
All versions of PAN-OS 8.0;
PAN-OS 8.1 versions earlier than PAN-OS 8.1.15;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.9;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.
This issue does not impact the GlobalProtect VPN or the PAN-OS management web interfaces.
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 10.0 | None | >= 10.0.0 |
PAN-OS 9.1 | < 9.1.3 | >= 9.1.3 |
PAN-OS 9.0 | < 9.0.9 | >= 9.0.9 |
PAN-OS 8.1 | < 8.1.15 | >= 8.1.15 |
PAN-OS 8.0 | 8.0.* | None |
Required Configuration for Exposure
This issue is applicable only where either Captive Portal is enabled or Multi-Factor Authentication (MFA) is configured as per https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
Severity: CRITICAL
CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
Weakness Type
Solution
This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.
All Prisma Access services are now upgraded to resolve this issue and are no longer vulnerable.
PAN-OS 7.1 and 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies.
Workarounds and Mitigations
Until PAN-OS software is upgraded to a fixed version, enabling signatures in content update version 8317 will block attacks against CVE-2020-2040.
Acknowledgments
Frequently Asked Questions
Q. Has this been exploited in the wild?
This issue was discovered during internal security review. No evidence of active exploitation has been identified as of this time.
Q. Are there any indicators of compromise or breach due to this vulnerability?
No.