Less than two weeks after patching a dangerous flaw in PAN-OS operating system Palo Alto Networks has released security update which addresses another severe vulnerability in PAN-OS devices.
The new issue, tracked as CVE-2020-2034, is an OS Command Injection vulnerability impacting the PAN-OS GlobalProtect which could be exploited by an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.
“An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled,” Palo Alto Networks explained in the advisory.
The company has not specified what information an attacker needs to know to succesfully exploit this vulnerability.
CVE-2020-2034 affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.
The vulnerability has been patched in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions. PAN-OS 7.1 and PAN-OS 8.0 versions will not receive patches as they are not supported by the vendor anymore. Firewalls that were upgraded to the latest versions of PAN-OS to resolve CVE-2020-2021 are not vulnerable to this issue.
Palo Alto said it is not aware of attacks attempting to exploit this vulnerability.