Palo Alto Networks Security Advisories / PAN-SA-2020-0002

PAN-SA-2020-0002 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities

047910
Severity 6.8 · MEDIUM
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact HIGH
Availability Impact HIGH

Description

OpenSSH software included with PAN-OS has been upgraded to resolve multiple vulnerabilities.

These issue affects Palo Alto Networks PAN-OS 7.1 versions before 7.1.26; 8.1 versions before 8.1.13; 9.0 versions before 9.0.7.

PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.

The resolved vulnerabilities include:

CVECVSSSummary
CVE-2018-206855.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
CVE-2019-61096.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
CVE-2019-61115.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0< 9.0.7>= 9.0.7
PAN-OS 8.1< 8.1.13>= 8.1.13
PAN-OS 8.08.0.*
PAN-OS 7.1< 7.1.26>= 7.1.26

Severity: MEDIUM

CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H)

Weakness Type

CWE-706

CWE-284 Improper Access Control

CWE-20 Improper Input Validation

Solution

These issues are fixed in PAN-OS 7.1.26 (pending release), PAN-OS 8.1.13, PAN-OS 9.0.7 and all later versions.

Workarounds and Mitigations

This issue affects the management interface of PAN-OS and is mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.

© 2020 Palo Alto Networks, Inc. All rights reserved.