Researchers unveil details of security flaws in enterprise firewall technology

UPDATED Security researchers have unveiled details of a series of flaws in Palo Alto Network’s firewall software addressed by the networking vendor last September.

The swarm of four vulnerabilities covers various flaws in Palo Alto’s PAN-OS operating system that were discovered by security researchers at Positive Technologies (PT).

PAN-OS is the technology behind Palo Alto Networks’ next-generation firewall (NGFW), a widely-used enterprise-grade firewall.

Undesirable consequences

The vulnerabilities could lead to arbitrary OS command execution by an authorized user CVE-2020-2037 and CVE-2020-2038 – denial of service by an unauthorized user (CVE-2020-2039), and reflected cross-site scripting (XSS) (CVE-2020-2036).

In a technical blog post published on Thursday Positive Technologies’ Mikhail Klyuchnikov and Nikita Abramov explain how these flaws could lead to all manner of undesirable consequences.

“Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments,” the researchers warn.


Catch up on the latest security vulnerability news


The flaws were discovered during black box analysis of the firewall web management interface by the two researchers.

The CVE-2020-2037 vulnerability stemmed from lack of user input filtering, while the related CVE-2020-2038 security flaw involved insufficient filtering of user inputs.

Both could result in remote code execution (RCE) but each was restricted to exploitation only by pre-authorized users, reducing the overall risk.

Another vulnerability allowed any unauthenticated user to conduct denial-of-service (DoS) attacks.

The firewall is in built with the Nginx web server. The flaw makes it possible to upload multiple files to this server to the point that there is no remaining disc space.

Without any disc space resource to make use of the Palo Alto Networks NGFW web management panel become unaccessible - effectively a denial of service since the whole device can’t be used normally in this scenario.

“We tried to open the web management interface but could not log in,” the researchers explain. “Most likely, this happened because PHP failed to create a session file on disk, due to the lack of disk space available.

As a result, we were able to conduct a DoS attack on Palo Alto NGFW components acting as an unauthenticated user.”

‘Easily exploitable’ XSS

The fourth vulnerability involved a reflected XSS vulnerability discovered in the script /unauth/php/change_password.php.

“The script makes use of the $_SERVER['PHP_SELF'] variable, which is user-controlled,” the researchers explain.

“This variable is inserted into an attribute value in the form tag without any filtering, thus making the XSS vulnerability easily exploitable.”

All four of the vulnerabilities have been resolved but each affects different versions of PAN-OS so, short of referring readers to PT’s advisory for details, the best advice for sysadmins is to upgrade to the latest version of the supported version of the software.

In response to queries from The Daily Swig, Palo Alto said customers should review the advisories it published last September (linked above). It also offered a brief comment on its engagement with researchers.

The security of our customers is our top priority.

In September 2020, Palo Alto Networks released patches and published security advisories for remediation. We appreciate the researchers sharing their findings.

Positive Technologies and Palo Alto is yet to respond to a request for comment. We’ll update this story as and when more information comes to hand.


This story has been updated with comment from Palo Alto Networks


RELATED Exploit developed for critical Palo Alto authentication flaw