Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue using maliciously crafted URI. The attacker uses email or other means to distribute the malicious URI and entices an unsuspecting user to follow it hijacking the user session ID. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to the affected application.
Systems Affected:
- PAN-OS 7.1, 8.0, 8.1 prior to 8.1.14
- PAN-OS versions 9.0 prior to 9.0.8
Technical Summary:
Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for session fixation attacks. Details of the vulnerabilities are as follows:
- CVE-2020-1993: GlobalProtect Portal PHP session fixation vulnerability
- CVE-2020-2006: Buffer overflow in management server payload parser
- CVE-2020-1998: Improper SAML SSO authorization of shared local users
- CVE-2020-2012: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
- CVE-2020-2007: OS command injection in management server
- CVE-2020-1997: GlobalProtect registration open redirect
- CVE-2020-1994: Predictable temporary file vulnerability
- CVE-2020-1996: Panorama management server log injection
- CVE-2020-2011: Panorama registration denial of service
- CVE-2020-2009: Panorama SD WAN arbitrary file creation
