PAN-OS Critical Buffer Overflow Vulnerability (CVE-2020-2040) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®

On Sept 9, 2020, Palo Alto Networks published nine security bulletins addressing vulnerabilities in PAN-OS operating system versions 8.0 or later. One of the nine CVEs released, CVE-2020-2040, received a critical severity rating score of 9.8 based on the CVSS v3 Scoring system.

PAN-OS devices are vulnerable to CVE-2020-2040, when a Captive Portal or multi-factor authentication interface is enabled. Once exploited, an unauthenticated user can gain root privileges by sending a malicious request to the PAN-OS device. This vulnerability is rated as critical mainly for two reasons. First, it doesn’t require any authentication; and second, it has the potential to disrupt system processes and execute arbitrary code injection.

According to Shodan, more than ~5k PAN-OS devices are active, and accessible over the internet at the time when this blog was published. Also, based on internal analysis from Qualys only 4% of the systems are patched. Organizations need to take this vulnerability seriously, and patch immediately. 

Image Source: Shodan

Along with CVE-2020-2040, other vulnerabilities were also remedied by Palo Alto Networks:

CVE-ID CVSS v3 Score
CVE-2020-204 9.8
CVE-2020-2036 8.8
CVE-2020-2041 7.5
CVE-2020-2037 7.2
CVE-2020-2038 7.2
CVE-2020-2042 7.2
CVE-2020-2039 5.3
CVE-2020-2043 3.3
CVE-2020-2044 3.3

Affected Products:

PAN-OS 9.1
PAN-OS 9.0
PAN-OS 8.1
PAN-OS 8.0

A complete list of affected devices is available: PAN-OS Security Advisory.

Identification of Assets using Qualys VMDR

The first step in managing vulnerabilities and reducing risk is identification of assets. Qualys VMDR makes it easy to identify PAN-OS systems.

operatingSystem:"PAN-OS"

Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say “CVE-2020-2040”. This helps in automatically grouping existing hosts with PAN-OS as well as any new PAN-OS hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform

Discover PAN-OS Buffer Overflow “CVE-2020-2040” Vulnerability

Now that hosts with PAN-OS are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like CVE-2020-2040 based on the always updated Knowledgebase.

You can see all your impacted hosts for this vulnerability tagged with the ‘CVE-2020-2040’ asset tag in the vulnerabilities view by using this QQL query:

vulnerabilities.vulnerability.qid:13975

This will return a list of all impacted hosts.

QID 13975 is available in signature version VULNSIGS-2.4.986-2 and above and can be detected using authenticated scanning.

Along with QID 13975, Qualys has released the following QIDs in the KnowledgeBase to address PAN-OS CVEs:

  • QID 13975: Palo Alto Networks PAN-OS Buffer Overflow Vulnerability
  • QID 13971: Palo Alto Networks PAN-OS Reflected Cross-Site Scripting (XSS) vulnerability
  • QID 13977: Palo Alto Networks PAN-OS Denial-Of-Service Vulnerability
  • QID 13972: Palo Alto Networks PAN-OS OS Command Injection Vulnerability
  • QID 13973: Palo Alto Networks PAN-OS OS Command Injection Vulnerability
  • QID 13978: Palo Alto Networks PAN-OS Management Web Interface Buffer Overflow Vulnerability
  • QID 13974: Palo Alto Networks PAN-OS Management Web Interface Denial-Of-Service Vulnerability
  • QID 13979: Palo Alto Networks PAN-OS Information Exposure Vulnerability
  • QID 13980: Palo Alto Networks PAN-OS Information Exposure Vulnerability

Using VMDR, the CVE-2020-2040 can be prioritized for the following real-time threat indicators (RTIs):

  • Remote Code Execution
  • Denial of Service
  • High Data Loss
  • High Lateral Movement
  • Easy Exploit

VMDR also enables you to stay on top of these threats proactively via the ‘live feed’ provided for threat prioritization. With ‘live feed’ updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.  

Simply click on the impacted assets for the PAN-OS threat feed to see the vulnerability and impacted host details. 

Tracking via Dashboards

With VMDR Dashboard, you can track PAN-OS vulnerabilities, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of CVE-2020-2040 vulnerability trends in your environment using the Palo Alto Networks dashboard.

Solution

Users are advised to update their PAN-OS installations to PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.

For information, see: CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled.

Get Started Now

Start your Qualys VMDR trial for automatically identifying, detecting and patching the high-priority PAN-OS vulnerability CVE-2020-2040.