Palo Alto Networks Security Advisories / PAN-SA-2020-0008

PAN-SA-2020-0008 Informational: BootHole Vulnerability Impact on Palo Alto Networks PAN-OS Software

047910
Severity 0 · NONE
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

Palo Alto Networks is aware of the vulnerability known as BootHole (CVE-2020-10713) that affects the Grand Unified Bootloader (GRUB) used in Palo Alto Networks PAN-OS software.

BootHole is a buffer overflow vulnerability that occurs in GRUB2 when parsing an attacker-controlled grub.cfg file. This vulnerability enables arbitrary code execution within the boot environment, which allows persistent control of the system.

It is not possible for malicious actors or PAN-OS administrators to exploit this vulnerability under normal conditions. Administrators do not have access to the grub configuration file nor do they have permission to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit this vulnerability. The BootHole vulnerability itself does not allow an attacker to compromise PAN-OS software.

Palo Alto Networks is not aware of any malicious exploitation of this vulnerability.

The Palo Alto Networks Product Security Assurance team evaluated this potential vulnerability and determined that the scenarios required for successful exploitation of the BootHole vulnerability do not exist on PAN-OS software under normal conditions.

CVECVSSSummary
CVE-2020-14308Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-14309Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-14310Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-14311Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-15706Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-15707Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-10713Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-15705Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted.

Product Status

VersionsAffectedUnaffected
PAN-OS Noneall

Required Configuration for Exposure

This vulnerability is exploitable only when an attacker already compromised the PAN-OS software and gained root Linux privileges on the system. This is not possible under normal conditions.

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N)

Weakness Type

CWE-120 Buffer Overflow

Solution

Palo Alto Networks is working on a fix for the BootHole vulnerability that will prevent an attacker with root privileges from being able to exploit it. The workarounds provided can help mitigate the risk of this issue until that fix is released. There are currently no PAN-OS updates available for this issue.

Workarounds and Mitigations

This vulnerability requires an attacker to compromise PAN-OS software before they can successfully exploit it. The risk of exploitation on PAN-OS software is reduced by upgrading your appliances to the latest versions.

This issue impacts the PAN-OS management interface but you can additionally mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access on the PAN-OS technical documentation website at https://docs.paloaltonetworks.com/best-practices.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.