Palo Alto Networks fixes Critical PAN-OS vulnerability (CVE-2020-2040)

Palo Alto Networks fixes Critical PAN-OS vulnerability (CVE-2020-2040)

Palo Alto Networks has fixed a Critical buffer overflow vulnerability that could allow an attacker to execute remote code as root on PAN-OS devices, along with multiple other High severity issues.

“A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface,” Palo Alto Networks warned in the advisory.

The issue affects the following versions of PAN-OS that have either Captive Portal or Multi-Factor Authentication (MFA) enabled:

  • All versions of PAN-OS 8.0
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3.

However, the vulnerability does not impact the GlobalProtect VPN or the PAN-OS management web interfaces.

The issue is also rated CVSS score of 9.8.

Other High severity PAN-OS vulnerabilities

In addition to the Critical vulnerability, Palo Alto Networks also addressed five High severity PAN-OS vulnerabilities.

The PAN-OS issues include XSS, DoS, OS command injection and buffer overflow flaws:

Check out the Palo Alto Networks security advisories for more details on these vulnerabilities and recommended upgrades, along with other Medium and Low severity issues.

Related Articles