PAN-SA-2020-0008 Informational: BootHole Vulnerability Impact on Palo Alto Networks PAN-OS Software
Informational
Description
Palo Alto Networks is aware of the vulnerability known as BootHole (CVE-2020-10713) that affects the Grand Unified Bootloader (GRUB) used in Palo Alto Networks PAN-OS software.
BootHole is a buffer overflow vulnerability that occurs in GRUB2 when parsing an attacker-controlled grub.cfg file. This vulnerability enables arbitrary code execution within the boot environment, which allows persistent control of the system.
It is not possible for malicious actors or PAN-OS administrators to exploit this vulnerability under normal conditions. Administrators do not have access to the grub configuration file nor do they have permission to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit this vulnerability. The BootHole vulnerability itself does not allow an attacker to compromise PAN-OS software.
Palo Alto Networks is not aware of any malicious exploitation of this vulnerability.
The Palo Alto Networks Product Security Assurance team evaluated this potential vulnerability and determined that the scenarios required for successful exploitation of the BootHole vulnerability do not exist on PAN-OS software under normal conditions.
| CVE | Summary |
|---|---|
| CVE-2020-14308 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-14309 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-14310 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-14311 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-15706 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-15707 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-10713 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-15705 | Conditions required for exploiting this vulnerability do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Required Configuration for Exposure
This vulnerability is exploitable only when an attacker already compromised the PAN-OS software and gained root Linux privileges on the system. This is not possible under normal conditions.
Weakness Type
Solution
Palo Alto Networks is working on a fix for the BootHole vulnerability that will prevent an attacker with root privileges from being able to exploit it. The workarounds provided can help mitigate the risk of this issue until that fix is released. There are currently no PAN-OS updates available for this issue.
Workarounds and Mitigations
This vulnerability requires an attacker to compromise PAN-OS software before they can successfully exploit it. The risk of exploitation on PAN-OS software is reduced by upgrading your appliances to the latest versions.
This issue impacts the PAN-OS management interface but you can additionally mitigate the impact of this issue by following best practices for securing the PAN-OS management interface. Please review the Best Practices for Securing Administrative Access on the PAN-OS technical documentation website at https://docs.paloaltonetworks.com/best-practices.