Palo Alto Next Generation Firewall Detected With Four Vulnerabilities


Details of a series of bugs in Palo Alto Firewall Software, which the network provider addressed last September, were revealed by security researchers recently. The four-vulnerability swarm of bugs contains many bugs within, found by protection experts in Positive Technologies in the Palo Alto PAN-OS operating system. The next-generation firewall (NGFW) from Palo Alto Networks is the leading corporate firewall used to protect businesses from many cyber threats worldwide. It works with its own "PAN-OS" operating system. 

Palo Alto Networks, Inc. is an American, international, Santa Clara, California-based, cybersecurity corporation. Its key offerings are a portal for integrated firewalls and cloud-based offers to broaden these firewalls into other security dimensions. 

The vulnerabilities detected could lead to arbitrary OS command execution by an authorized user CVE-2020-2037 and CVE-2020-2038 – denial of service by an unauthorized user (CVE-2020-2039), and reflected cross-site scripting (XSS) (CVE-2020-2036). The weakness of CVE-2020-2037 was caused by the absence of user input filters. These may have contributed to remote code execution (RCE), but only pre-authorized users were limited to service, minimizing overall risk. These vulnerabilities allow an attacker to acquire access to sensitive information, to interrupt firewall component availability, or to access internal network segments. A black box examination of the web control interface of the firewall found, that the first vulnerability was triggered by a lack of user input filtering. PHP scripts manage user requests and transfers all data relating to a local port listening facility. It searches the data and returns the findings to the web application customer. 

“Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments,” the researchers stated.

Unauthenticated users can carry out Denial-of-Service (DoS) attacks with a different vulnerability. The Nginx application platform is built into the firewall. The bug causes several files to be transferred to this server in such a manner that no storage space is left. The Palo Alto Networks NGFW site control panel is no longer available without any disk space resources. This is essentially a denial of service since the system as a whole cannot usually be used in this situation.

“We tried to open the web management interface but could not log in,” the researchers explained. “Most likely, this happened because PHP failed to create a session file on disk, due to the lack of disk space available. As a result, we were able to conduct a DoS attack on Palo Alto NGFW components acting as an unauthenticated user.” 

The fourth vulnerability involved a reflective XSS vulnerability exposed in the /unauth/php/change_password.php script. This script uses the user-controlled vector $_SERVER['PHP SELF'].

Though all four of the bugs are fixed, but each of these affected separate versions of PAN-OS, so the safest recommendation for sysadmins is to update to the current edition of the supported product.