Plataforma
paloalto
Componente
pan-os
Corrigido em
8.0.1
7.1.26
8.1.12
9.0.6
CVE-2020-2018 is a critical authentication bypass vulnerability affecting Palo Alto Networks PAN-OS. This flaw allows an attacker with network access to a Panorama management interface to potentially gain privileged access to managed firewalls. The vulnerability impacts PAN-OS versions 7.1 prior to 7.1.26, 8.1 prior to 8.1.12, 9.0 prior to 9.0.6, and all versions of PAN-OS 8.0. A fix is available in PAN-OS 9.0.6.
Successful exploitation of CVE-2020-2018 grants an attacker unauthorized privileged access to managed firewalls within a Palo Alto Networks environment. This could lead to complete compromise of the firewall, enabling attackers to modify security policies, exfiltrate sensitive data, and pivot to other systems within the network. The attacker requires some knowledge of the managed firewalls to exploit the vulnerability effectively. The blast radius extends to all managed firewalls connected to the vulnerable Panorama instance, potentially impacting the entire network infrastructure. This vulnerability shares characteristics with other privilege escalation flaws, where a lack of proper authentication checks allows unauthorized access to sensitive resources.
CVE-2020-2018 was publicly disclosed on May 13, 2020. The vulnerability is considered highly exploitable due to the ease of access and the potential for significant impact. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation suggest it remains a significant risk. The vulnerability has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Organizations heavily reliant on Palo Alto Networks firewalls and Panorama for centralized management are particularly at risk. Environments with legacy PAN-OS versions (8.0 and earlier) and those lacking robust network segmentation are also highly vulnerable. Shared hosting environments utilizing Palo Alto firewalls should be especially vigilant, as they may be affected by vulnerabilities in the underlying infrastructure.
• paloalto / firewall:
Get-PanEvent | Where-Object {$_.type -eq "authentication" -and $_.severity -eq "critical"}• paloalto / firewall:
Get-PanDevice | Where-Object {$_.version -lt "9.0.6"}• paloalto / firewall:
Get-PanLog | Where-Object {$_.category -eq "system" -and $_.message -like "*context switching*"}disclosure
patch
Status do Exploit
EPSS
0.32% (percentil 55%)
Vetor CVSS
The primary mitigation for CVE-2020-2018 is to upgrade to PAN-OS version 9.0.6 or later. If an immediate upgrade is not feasible, Palo Alto Networks recommends implementing network segmentation to limit access to the Panorama management interface. Consider using a Web Application Firewall (WAF) or proxy to filter traffic and block suspicious requests targeting the context switching feature. Review and restrict access controls to the Panorama management interface, ensuring only authorized personnel can access it. For environments using custom certificates for communication between Panorama and managed devices, this vulnerability is not applicable. After upgrading, verify the fix by attempting to access the Panorama management interface from an unauthorized network location and confirming access is denied.
Atualize o PAN-OS para a versão 7.1.26, 8.1.12 ou 9.0.6, ou uma versão posterior, conforme apropriado. Se estiver utilizando a versão 8.0, considere atualizar para uma versão suportada e corrigida. Se o Panorama estiver configurado com certificados personalizados para a comunicação com os firewalls gerenciados, nenhuma ação é necessária.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-2018 is a critical vulnerability allowing attackers to bypass authentication and gain privileged access to managed firewalls in Palo Alto Networks PAN-OS versions 7.1<7.1.26, 8.1<8.1.12, 9.0<9.0.6, and all versions of 8.0.
If you are running PAN-OS versions 7.1 prior to 7.1.26, 8.1 prior to 8.1.12, 9.0 prior to 9.0.6, or 8.0, you are affected by this vulnerability. Environments using custom certificates for Panorama-device communication are not affected.
Upgrade to PAN-OS version 9.0.6 or later to remediate the vulnerability. Implement network segmentation and restrict access to the Panorama management interface as interim measures.
While no active exploitation campaigns have been publicly confirmed, the critical severity and availability of public proof-of-concept exploits suggest a high risk of exploitation.
Refer to the Palo Alto Networks Security Advisory for details: https://knowledge.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJCCA0
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.