cbcvebase.
CVE-2020-2034
published 2020-07-08

CVE-2020-2034: An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with…

PriorityP180high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.56%
93.0th percentile
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.

Affected

11 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os
palo_alto_networkspan-os
palo_alto_networkspan-os>= 8.1 < 8.1.158.1.15
palo_alto_networkspan-os>= 9.0 < 9.0.99.0.9
palo_alto_networkspan-os>= 9.1 < 9.1.39.1.3
paloaltopan-os
paloaltonetworkspan-os7.1.0 – 7.1.26
paloaltonetworkspan-os8.0.0 – 8.0.20
paloaltonetworkspan-os>= 8.1.0 < 8.1.158.1.15
paloaltonetworkspan-os>= 9.0.0 < 9.0.99.0.9
paloaltonetworkspan-os>= 9.1.0 < 9.1.39.1.3

Detection & IOCsextracted from sources · hover to see the quote

otherUnique Threat ID 58658
  • The vulnerability exists in the PAN-OS GlobalProtect portal; only systems with the GlobalProtect portal feature enabled are exploitable — monitor/alert on unauthenticated inbound requests to the GlobalProtect portal interface.
  • Attacker requires specific knowledge of the firewall configuration or may perform brute-force attempts prior to exploitation — look for high-volume or anomalous unauthenticated requests to the GlobalProtect portal as a precursor indicator.
  • Apply Palo Alto Networks Threat Prevention signature for Unique Threat ID 58658 on traffic destined for the GlobalProtect portal to detect and block exploitation attempts.
  • ·Firewalls already patched for CVE-2020-2021 (upgraded to latest PAN-OS versions at that time) are not vulnerable to this issue.
  • ·Prisma Access deployments are not affected by this vulnerability.
  • ·All versions of PAN-OS 8.0 and PAN-OS 7.1 are affected with no patched release available for those branches; upgrade to a supported branch is required.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.