Within a span of three months, one more critical vulnerability with a score of 10.0 has been observed in PAN-OS devices. When a Captive Portal or Multi-factor authentication interface is enabled on PAN-OS devices, it is considered to be vulnerable to critical buffer overflow vulnerability. This vulnerability is classified as CWE-120 and assigned CVE-2020-2040, on Sept 9, 2020.
This vulnerability disturbs the cadence of PAN-OS devices primarily because of two factors. Firstly, it doesn’t require any authentication, and secondly, it has a potential to disrupt system processes and execute arbitrary code injection. Once exploited, an unauthenticated user can gain root privileges by sending a malicious request to the PAN-OS Captive Portal or the Multi-Factor Authentication (MFA) interface. This issue is applicable only where either Captive Portal is enabled or MFA is configured as per the steps mentioned in the Configure Multi-Factor Authentication section of the PAN-OS® Administrator’s Guide.
So far, there has been no information of this CVE being exploited in the wild, and more than ~5k PAN-OS devices are active at the time when this blog was published.
Image Source: Shodan
Image Source: Palo Alto
Users are advised to update their PAN-OS installations to PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions. For information, refer to the following article:
CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled
Qualys customers can scan their network with QID 13975 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.