CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled

Description

A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.

This issue impacts:

All versions of PAN-OS 8.0;

PAN-OS 8.1 versions earlier than PAN-OS 8.1.15;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.9;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.

This issue does not impact the GlobalProtect VPN or the PAN-OS management web interfaces.

Product Status

Required Configuration for Exposure

This issue is applicable only where either Captive Portal is enabled or Multi-Factor Authentication (MFA) is configured as per https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/configure-multi-factor-authentication.html

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-120 Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.

All Prisma Access services are now upgraded to resolve this issue and are no longer vulnerable.

PAN-OS 7.1 and 8.0 are end-of-life and are no longer covered by our Product Security Assurance policies.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures in content update version 8317 will block attacks against CVE-2020-2040.

Acknowledgments

Frequently Asked Questions

Q. Has this been exploited in the wild?

This issue was discovered during internal security review. No evidence of active exploitation has been identified as of this time.

Q. Are there any indicators of compromise or breach due to this vulnerability?

No.

Timeline