Main Vulnerability Database Vulnerabilities #VU45651

#VU45651 Input validation error in Palo Alto PAN-OS - CVE-2020-2035

Published: August 12, 2020 / Updated: December 27, 2021

Vulnerability identifier: #VU45651

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-2035

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Palo Alto PAN-OS

Software vendor:
Palo Alto Networks, Inc.

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within the TLS Client Hello handshake.

This allows a compromised host in a protected network to evade any security policy that uses URL filtering on a firewall configured with SSL Decryption in the Forward Proxy mode. A malicious actor can then use this technique to evade detection of communication on the TLS handshake phase between a compromised host and a remote malicious server.

Remediation

Install update from vendor's website.

External links

https://security.paloaltonetworks.com/CVE-2020-2035

#VU45651 Input validation error in Palo Alto PAN-OS - CVE-2020-2035

Description

Remediation

External links

Please verify you're human