PAN-SA-2020-0002 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities
OpenSSH software included with PAN-OS has been upgraded to resolve multiple vulnerabilities.
These issue affects Palo Alto Networks PAN-OS 7.1 versions before 7.1.26; 8.1 versions before 8.1.13; 9.0 versions before 9.0.7.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
The resolved vulnerabilities include:
|CVE-2018-20685||5.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)||In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.|
|CVE-2019-6109||6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)||An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.|
|CVE-2019-6111||5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)||An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).|
|PAN-OS 9.0||< 9.0.7||>= 9.0.7|
|PAN-OS 8.1||< 8.1.13||>= 8.1.13|
|PAN-OS 7.1||< 7.1.26||>= 7.1.26|
CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H)
These issues are fixed in PAN-OS 7.1.26 (pending release), PAN-OS 8.1.13, PAN-OS 9.0.7 and all later versions.
Workarounds and Mitigations
This issue affects the management interface of PAN-OS and is mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.