Vulnerabilities > CVE-2020-1990 - Out-of-bounds Write vulnerability in Paloaltonetworks Pan-Os

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

paloaltonetworks

CWE-787

critical

nessus

NVD

Published: 2020-04-08

Updated: 2020-04-09

Summary

A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. This issue does not affect PAN-OS 7.1.

Vulnerable Configurations

Part	Description	Count
OS	Paloaltonetworks Paloaltonetworks PAN OS 8.1.0 Paloaltonetworks PAN OS 8.1.1 Paloaltonetworks PAN OS 8.1.2 Paloaltonetworks PAN OS 8.1.3 Paloaltonetworks PAN OS 8.1.4 Paloaltonetworks PAN OS 8.1.5 Paloaltonetworks PAN OS 8.1.6 Paloaltonetworks PAN OS 8.1.7 Paloaltonetworks PAN OS 8.1.8 Paloaltonetworks PAN OS 8.1.9 Paloaltonetworks PAN OS 8.1.11 Paloaltonetworks PAN OS 8.1.12 Paloaltonetworks PAN OS 9.0.0 Paloaltonetworks PAN OS 9.0.1 Paloaltonetworks PAN OS 9.0.2 Paloaltonetworks PAN OS 9.0.3 Paloaltonetworks PAN OS 9.0.4 Paloaltonetworks PAN OS 9.0.5 Paloaltonetworks PAN OS 9.0.6	24

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Nessus

NASL family	Palo Alto Local Security Checks
NASL id	PALO_ALTO_PAN-OS_9_0_7.NASL
description	The version of Palo Alto Networks PAN-OS running on the remote host is 8.1.x prior to 8.1.13 or 9.0.x prior to 9.0.7. It is, therefore, affected by a remote code execution vulnerability. An authenticated, remote attacker can exploit this to upload a corrupted PAN-OS configuration and potentially execute code with root privileges.
last seen	2020-04-17
modified	2020-04-16
plugin id	135690
published	2020-04-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135690
title	Palo Alto Networks PAN-OS 8.1.x < 8.1.13 / 9.0.x < 9.0.7 RCE
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(135690); script_version("1.1"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/16"); script_cve_id("CVE-2020-1990"); script_xref(name: "IAVA", value:"2020-A-0137"); script_name(english:"Palo Alto Networks PAN-OS 8.1.x < 8.1.13 / 9.0.x < 9.0.7 RCE"); script_summary(english:"Checks the PAN-OS version."); script_set_attribute(attribute:"synopsis", value: "The remote PAN-OS host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description",value: "The version of Palo Alto Networks PAN-OS running on the remote host is 8.1.x prior to 8.1.13 or 9.0.x prior to 9.0.7. It is, therefore, affected by a remote code execution vulnerability. An authenticated, remote attacker can exploit this to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. "); # https://security.paloaltonetworks.com/CVE-2020-1990 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a5ed573b"); script_set_attribute(attribute:"solution", value: "Upgrade to PAN-OS 8.1.13 / 9.0.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1990"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/08"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Palo Alto Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("palo_alto_version.nbin"); script_require_keys("Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version", "Host/Palo_Alto/Firewall/Source"); exit(0); } include('vcf.inc'); include('http_func.inc'); app_name = 'Palo Alto Networks PAN-OS'; port = get_http_port(default:443); app_info = vcf::get_app_info( app: app_name, kb_ver:'Host/Palo_Alto/Firewall/Version', kb_source:'Host/Palo_Alto/Firewall/Source', port:port, service:TRUE ); vcf::check_granularity(app_info:app_info, sig_segments:2); # Note, PA versions can also come like 9.0.7-h1. This won't parse correctly # with how vcf is now and should be paranoided. constraints = [ { 'min_version' : '8.1', 'fixed_version' : '8.1.13' }, { 'min_version' : '9.0', 'fixed_version' : '9.0.7' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

References

https://security.paloaltonetworks.com/CVE-2020-1990