Platform
paloalto
Component
pan-os
Fixed in
8.0.1
7.1.26
8.1.12
9.0.6
CVE-2020-2018 is a critical authentication bypass vulnerability affecting Palo Alto Networks PAN-OS. This flaw allows an attacker with network access to a Panorama management interface to potentially gain privileged access to managed firewalls. The vulnerability impacts PAN-OS versions 7.1 prior to 7.1.26, 8.1 prior to 8.1.12, 9.0 prior to 9.0.6, and all versions of PAN-OS 8.0. A fix is available in PAN-OS 9.0.6.
Successful exploitation of CVE-2020-2018 grants an attacker unauthorized privileged access to managed firewalls within a Palo Alto Networks environment. This could lead to complete compromise of the firewall, enabling attackers to modify security policies, exfiltrate sensitive data, and pivot to other systems within the network. The attacker requires some knowledge of the managed firewalls to exploit the vulnerability effectively. The blast radius extends to all managed firewalls connected to the vulnerable Panorama instance, potentially impacting the entire network infrastructure. This vulnerability shares characteristics with other privilege escalation flaws, where a lack of proper authentication checks allows unauthorized access to sensitive resources.
CVE-2020-2018 was publicly disclosed on May 13, 2020. The vulnerability is considered highly exploitable due to the ease of access and the potential for significant impact. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation suggest it remains a significant risk. The vulnerability has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.32% (55% percentile)
CVSS Vector
The primary mitigation for CVE-2020-2018 is to upgrade to PAN-OS version 9.0.6 or later. If an immediate upgrade is not feasible, Palo Alto Networks recommends implementing network segmentation to limit access to the Panorama management interface. Consider using a Web Application Firewall (WAF) or proxy to filter traffic and block suspicious requests targeting the context switching feature. Review and restrict access controls to the Panorama management interface, ensuring only authorized personnel can access it. For environments using custom certificates for communication between Panorama and managed devices, this vulnerability is not applicable. After upgrading, verify the fix by attempting to access the Panorama management interface from an unauthorized network location and confirming access is denied.
Update PAN-OS to version 7.1.26, 8.1.12, or 9.0.6, or a later version, as appropriate. If you are using version 8.0, consider upgrading to a supported and patched version. If Panorama is configured with custom certificates for communication with managed firewalls, no action is required.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-2018 is a critical vulnerability allowing attackers to bypass authentication and gain privileged access to managed firewalls in Palo Alto Networks PAN-OS versions 7.1<7.1.26, 8.1<8.1.12, 9.0<9.0.6, and all versions of 8.0.
If you are running PAN-OS versions 7.1 prior to 7.1.26, 8.1 prior to 8.1.12, 9.0 prior to 9.0.6, or 8.0, you are affected by this vulnerability. Environments using custom certificates for Panorama-device communication are not affected.
Upgrade to PAN-OS version 9.0.6 or later to remediate the vulnerability. Implement network segmentation and restrict access to the Panorama management interface as interim measures.
While no active exploitation campaigns have been publicly confirmed, the critical severity and availability of public proof-of-concept exploits suggest a high risk of exploitation.
Refer to the Palo Alto Networks Security Advisory for details: https://knowledge.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJCCA0
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.