PAN-SA-2020-0002 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities
Description
OpenSSH software included with PAN-OS has been upgraded to resolve multiple vulnerabilities.
These issue affects Palo Alto Networks PAN-OS 7.1 versions before 7.1.26; 8.1 versions before 8.1.13; 9.0 versions before 9.0.7.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
The resolved vulnerabilities include:
| CVE | CVSS | Summary |
|---|---|---|
| CVE-2018-20685 | 5.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) | In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. |
| CVE-2019-6109 | 6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) | An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. |
| CVE-2019-6111 | 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) | An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 9.0 | < 9.0.7 | >= 9.0.7 |
| PAN-OS 8.1 | < 8.1.13 | >= 8.1.13 |
| PAN-OS 8.0 | 8.0.* | |
| PAN-OS 7.1 | < 7.1.26 | >= 7.1.26 |
Severity: MEDIUM
CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H)
Weakness Type
CWE-284 Improper Access Control
CWE-20 Improper Input Validation
Solution
These issues are fixed in PAN-OS 7.1.26 (pending release), PAN-OS 8.1.13, PAN-OS 9.0.7 and all later versions.
Workarounds and Mitigations
This issue affects the management interface of PAN-OS and is mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.