Paloalto PAN-OS vulnerabilities

CVE-2020-27619 [CRITICAL] Informational: Impact of Python Test Suite Vulnerability CVE-2020-27619 Informational: Impact of Python Test Suite Vulnerability CVE-2020-27619 The Palo Alto Networks Product Security Assurance team evaluated the Python test suite vulnerability CVE-2020-27619. There are no scenarios that enable successful exploitation of the vulnerability in Cortex XSOAR or PAN-OS software. No product release contains the Python test suite that is necessary to exploit this vulnerabili

CVE-2021-3156 [HIGH] Informational: Impact of Sudo Vulnerability CVE-2021-3156 Informational: Impact of Sudo Vulnerability CVE-2021-3156 Palo Alto Networks Product Security Assurance team has evaluated the Sudo software vulnerability CVE-2021-3156. PAN-OS software, Prisma Cloud compute, and Prisma SD-WAN (CloudGenix) devices do not include the Sudo program and, therefore, no scenarios required for successful exploitation exist in these Palo Alto Networks products. Affected products: PAN-OS, P

CVE-2021-3032 [MEDIUM] CWE-532 PAN-OS: Configuration secrets for log forwarding may be logged in system logs PAN-OS: Configuration secrets for log forwarding may be logged in system logs An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where configuration secrets for the “http”, “email”, and “snmptrap” v3 log forwarding server profiles can be logged to the logrcvr.log system log. Logged information may include up to 1024 bytes of the configura

CVE-2021-3031 [MEDIUM] CWE-200 PAN-OS: Information exposure in Ethernet data frame construction (Etherleak) PAN-OS: Information exposure in Ethernet data frame construction (Etherleak) Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-5000 Series, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethe

CVE-2020-1971 [MEDIUM] PAN-SA-2020-0011 Informational: Impact of OpenSSL vulnerability CVE-2020-1971 PAN-SA-2020-0011 Informational: Impact of OpenSSL vulnerability CVE-2020-1971 Palo Alto Networks Product Security Assurance team has evaluated the vulnerability CVE-2020-1971 that affects the OpenSSL library. The vulnerability does not have a security impact on PAN-OS, GlobalProtect App, or Cortex XSOAR. The scenarios required for successful CVEs: CVE-2020-1971 Affected products: Cortex XSOAR,

CVE-2020-2022 [HIGH] CWE-200 PAN-OS: Panorama session disclosure during context switch into managed device PAN-OS: Panorama session disclosure during context switch into managed device An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This vulnerability allows an attacker to gain privile

CVE-2020-2050 [HIGH] CWE-285 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain

CVE-2020-2000 [HIGH] CWE-121 PAN-OS: OS command injection and memory corruption vulnerability PAN-OS: OS command injection and memory corruption vulnerability An OS command injection and memory corruption vulnerability in the PAN-OS management web interface that allows authenticated administrators to disrupt system processes and potentially execute arbitrary code and OS commands with root privileges. Affected products: PAN-OS Solution: This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-

CVE-2020-1999 [MEDIUM] CWE-754 PAN-OS: Threat signatures are evaded by specifically crafted packets PAN-OS: Threat signatures are evaded by specifically crafted packets A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets. This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources block

CVE-2020-2048 [LOW] CWE-532 PAN-OS: System proxy passwords may be logged in clear text while viewing system state PAN-OS: System proxy passwords may be logged in clear text while viewing system state An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. Affected products: PAN-OS Solution: This issue is fixed in PAN-OS

CVE-2020-2040 [CRITICAL] CWE-120 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface. This issue impacts: Al

CVE-2020-2038 [HIGH] CWE-78 PAN-OS: OS command injection vulnerability in the management web interface PAN-OS: OS command injection vulnerability in the management web interface An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. Affected products: PAN-OS Solution: This issue is fixed in PAN-OS 9.0.10, PAN-OS 9.1.4, PAN-OS 10.0.1, and all later PAN-OS versions. Workaround: Unt

CVE-2020-2042 [HIGH] CWE-121 PAN-OS: Buffer overflow in the management web interface PAN-OS: Buffer overflow in the management web interface A buffer overflow vulnerability in the PAN-OS management web interface allows authenticated administrators to disrupt system processes and potentially execute arbitrary code with root privileges. Affected products: PAN-OS Solution: This issue is fixed in PAN-OS 10.0.1 and all later PAN-OS versions. Workaround: This issue impacts the PAN-OS management we

CVE-2020-2041 [HIGH] CWE-16 PAN-OS: Management web interface denial-of-service (DoS) PAN-OS: Management web interface denial-of-service (DoS) An insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance

CVE-2020-2037 [HIGH] CWE-78 PAN-OS: OS command injection vulnerability in the management web interface PAN-OS: OS command injection vulnerability in the management web interface An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. Affected products: PAN-OS Solution: This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.10, PAN-OS 9.1.3, and all later PAN-OS versions. Workaround: Unt

CVE-2020-2036 [HIGH] CWE-79 PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could poten

CVE-2020-2039 [MEDIUM] CWE-400 PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to dis

CVE-2020-2044 [LOW] CWE-532 PAN-OS: Passwords may be logged in clear text while storing operational command (op command) history PAN-OS: Passwords may be logged in clear text while storing operational command (op command) history An information exposure through log file vulnerability where an administrator's password or other sensitive information may be logged in cleartext while using the CLI in Palo Alto Networks PAN-OS software. The opcmdhistory.log file was introduced to track operational c

CVE-2020-2043 [LOW] CWE-532 PAN-OS: Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs PAN-OS: Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs An information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Palo Alto Networks PAN-OS software when the after-change-detail custom syslog field is enabled for configurati

CVE-2020-10713 [HIGH] CWE-120 PAN PAN Palo Alto Networks is aware of the vulnerability known as BootHole (CVE-2020-10713) that affects the Grand Unified Bootloader (GRUB) used in Palo Alto Networks PAN-OS software. BootHole is a buffer overflow vulnerability that occurs in GRUB2 when parsing an attacker-controlled grub.cfg file. This vulnerability enables arbitrary code execution within the boot environment, which allows persistent control of the system. It is not possible for malicious actors