Plateforme
paloalto
Composant
pan-os
Corrigé dans
8.0.1
7.1.26
8.1.12
9.0.6
CVE-2020-2018 is a critical authentication bypass vulnerability affecting Palo Alto Networks PAN-OS. This flaw allows an attacker with network access to a Panorama management interface to potentially gain privileged access to managed firewalls. The vulnerability impacts PAN-OS versions 7.1 prior to 7.1.26, 8.1 prior to 8.1.12, 9.0 prior to 9.0.6, and all versions of PAN-OS 8.0. A fix is available in PAN-OS 9.0.6.
Successful exploitation of CVE-2020-2018 grants an attacker unauthorized privileged access to managed firewalls within a Palo Alto Networks environment. This could lead to complete compromise of the firewall, enabling attackers to modify security policies, exfiltrate sensitive data, and pivot to other systems within the network. The attacker requires some knowledge of the managed firewalls to exploit the vulnerability effectively. The blast radius extends to all managed firewalls connected to the vulnerable Panorama instance, potentially impacting the entire network infrastructure. This vulnerability shares characteristics with other privilege escalation flaws, where a lack of proper authentication checks allows unauthorized access to sensitive resources.
CVE-2020-2018 was publicly disclosed on May 13, 2020. The vulnerability is considered highly exploitable due to the ease of access and the potential for significant impact. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation suggest it remains a significant risk. The vulnerability has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Organizations heavily reliant on Palo Alto Networks firewalls and Panorama for centralized management are particularly at risk. Environments with legacy PAN-OS versions (8.0 and earlier) and those lacking robust network segmentation are also highly vulnerable. Shared hosting environments utilizing Palo Alto firewalls should be especially vigilant, as they may be affected by vulnerabilities in the underlying infrastructure.
• paloalto / firewall:
Get-PanEvent | Where-Object {$_.type -eq "authentication" -and $_.severity -eq "critical"}• paloalto / firewall:
Get-PanDevice | Where-Object {$_.version -lt "9.0.6"}• paloalto / firewall:
Get-PanLog | Where-Object {$_.category -eq "system" -and $_.message -like "*context switching*"}disclosure
patch
Statut de l'Exploit
EPSS
0.32% (percentile 55%)
Vecteur CVSS
The primary mitigation for CVE-2020-2018 is to upgrade to PAN-OS version 9.0.6 or later. If an immediate upgrade is not feasible, Palo Alto Networks recommends implementing network segmentation to limit access to the Panorama management interface. Consider using a Web Application Firewall (WAF) or proxy to filter traffic and block suspicious requests targeting the context switching feature. Review and restrict access controls to the Panorama management interface, ensuring only authorized personnel can access it. For environments using custom certificates for communication between Panorama and managed devices, this vulnerability is not applicable. After upgrading, verify the fix by attempting to access the Panorama management interface from an unauthorized network location and confirming access is denied.
Mettez à jour PAN-OS à la version 7.1.26, 8.1.12 ou 9.0.6, ou une version ultérieure, selon le cas. Si vous utilisez la version 8.0, envisagez de mettre à jour vers une version prise en charge et corrigée. Si Panorama est configuré avec des certificats personnalisés pour la communication avec les pare-feu gérés, aucune action n'est nécessaire.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2020-2018 is a critical vulnerability allowing attackers to bypass authentication and gain privileged access to managed firewalls in Palo Alto Networks PAN-OS versions 7.1<7.1.26, 8.1<8.1.12, 9.0<9.0.6, and all versions of 8.0.
If you are running PAN-OS versions 7.1 prior to 7.1.26, 8.1 prior to 8.1.12, 9.0 prior to 9.0.6, or 8.0, you are affected by this vulnerability. Environments using custom certificates for Panorama-device communication are not affected.
Upgrade to PAN-OS version 9.0.6 or later to remediate the vulnerability. Implement network segmentation and restrict access to the Panorama management interface as interim measures.
While no active exploitation campaigns have been publicly confirmed, the critical severity and availability of public proof-of-concept exploits suggest a high risk of exploitation.
Refer to the Palo Alto Networks Security Advisory for details: https://knowledge.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJCCA0
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.