Show vulnerabilities with patch / with exploit
9 July 2020

Palo Alto Networks patches another critical flaw in PAN-OS devices


Palo Alto Networks patches another critical flaw in PAN-OS devices

Less than two weeks after patching a dangerous flaw in PAN-OS operating system Palo Alto Networks has released security update which addresses another severe vulnerability in PAN-OS devices.

The new issue, tracked as CVE-2020-2034, is an OS Command Injection vulnerability impacting the PAN-OS GlobalProtect which could be exploited by an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.

“An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled,” Palo Alto Networks explained in the advisory.

The company has not specified what information an attacker needs to know to succesfully exploit this vulnerability.

CVE-2020-2034 affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.

The vulnerability has been patched in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions. PAN-OS 7.1 and PAN-OS 8.0 versions will not receive patches as they are not supported by the vendor anymore. Firewalls that were upgraded to the latest versions of PAN-OS to resolve CVE-2020-2021 are not vulnerable to this issue.

Palo Alto said it is not aware of attacks attempting to exploit this vulnerability.

Back to the list

Latest Posts

20 GB of confidential Intel documents and specifications leaked online

20 GB of confidential Intel documents and specifications leaked online

The leaked database contains Intel files that are subject to a non-disclosure agreement.
7 August 2020
Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020