Palo Alto Networks (PAN) today faced another serious vulnerability that was detected at the PAN-OS GlobalProtect portal and affected the unpatched next generation PAN protection walls.
On June 29, PAN also corrected a critical vulnerability (CVE-2020-2021) with a CVSSv3 rating of 10/10, allowing unauthorized intruders to bypass identity authentication on PAN-OS devices with SAML authentication enabled and by selecting " Validate Identity Provider Certificate ”to be disabled.
OS vulnerability vulnerabilities have been fixed today and are being monitored as CVE-2020-2034 allows remote intruders without authentication to perform arbitrary operating system commands with root rights on unconnected devices.
CVE-2020-2034 vulnerability has been classified as high gravity with a basic CVSS score of 3.x 8,1 and can be exploited by threatening factors with network access to the vulnerable servers as part of high attacks complexity that do not require user interaction.
It only affects devices with the GlobalProtect port enabled
"This issue can not be exploited if the ability GlobalProtect portal ”, explains the security advisory of PAN. "Prisma Access services are not affected by this vulnerability."
The following table includes the affected PAN-OS versions, as well as those that received updates code by Palo Alto Networks to potentially defend attacks (The problem is solved in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3 and all newer versions.)
PAN-OS 7.1 and PAN-OS 8.0 are at the end life cycle and will not receive security updates to address this vulnerability.
Vulnerability was discovered by Yamata Li of Palo Alto Networks Threat Research Team during an internal overview security.
Attackers need additional knowledge to exploit
"An intruder would require some level of specific information about building an affected firewall or performing brute-force attacks to take advantage of this issue, "said Palo Alto Networks security advisory.
Although the PAN does not explain what specific information the attackers need to know about them vulnerable devices to successfully exploit it vulnerability, NT Warfield of the CTI League said this could mean that attacks should be adjusted per device.
"Attack Complexity is a bit vague, and high complexity can mean different things depending on what the vulnerability is, what the product is, and the level of complexity the vendor assumes is exploitable," Warfield told BleepingComputer. he was asked to explain the phrase "attacks are adjusted per device".
"The low level of complexity is vulnerabilities such as MS17-010, SMBGhost, etc. who only need the device to be exposed so that it can be exploited.
"The complexity can be either 'modifying the memory compensations in the POC based on the number of CPUs / memory' or it could be something else, so that the measurement is very subjective."