On Wednesday, Palo Alto Networks told clients that it fixed two high-severity bugs in PAN-OS, the program running on the company’s firewalls.
The more serious of the flaws on the basis of their CVSS score is CVE-2020-2034, which affects the GlobalProtect portal and allows an unauthenticated attacker with network access to the targeted system to execute arbitrary operating system commands with root permissions.
“An attacker would need some level of specific information on an impacted firewall configuration or conduct brute-force attacks to exploit this problem,” the vendor said in his advisory.
The vulnerability can only be exploited by allowing the GlobalProtect feature. Prisma Access services are not affected, the company says, and the PAN-OS versions that patch CVE-2020-2021, a crucial vulnerability that was recently revealed, also address this bug.
The second high-severity vulnerability is identified as CVE-2020-2030 and enables the execution of arbitrary OS commands with root privileges by an attacker with admin access to the PAN-OS management interface
Palo Alto Networks claims that both vulnerabilities were recently found, and there is no evidence of malicious exploitation. One study, however, noted that tens of thousands of devices may be vulnerable to attacks.
— Nate W. | #BlackLivesMatter | #NoJusticeNoPeace (@n0x08) July 8, 2020
The company also told customers that two medium-severity vulnerabilities in PAN-OS have been patched: one that can be exploited by an authenticated attacker with denial-of – service (DoS) privileges, and one related to the use of the obsolete TLS 1.0 protocol for some contact between cloud-based services and PAN-OS.
Such flaws do not seem to be as severe as CVE-2020-2021, which was fixed by Palo Alto Networks in late June and which allows an attacker to circumvent authentication. Soon after publication of a patch, U.S. Cyber Command warned that it’s possible international APTs will try to exploit it soon.
Hackers have exploited a critical vulnerability from F5 Networks that has impacted the BIG-IP application delivery controller (ADC) over the last week. Soon after publication, proof-of – concept (PoC) exploits were made public and a growing number of attacks were spotted. Attackers also provided different payloads, including web shells and DDoS malware.