Palo Alto Networks (PAN) published nine security advisories for a series of vulnerabilities affecting PAN-OS, a custom operating system (OS) found in PAN’s next-generation firewalls. Below is a comment from Rody Quinlan, Security Response Manager, Tenable. A further analysis can be found in this blog.
“CVE-2020-2040, a buffer overflow vulnerability is a major concern because PAN-OS is, fundamentally, the guardian between an organisation’s network and the outside world. Successful exploitation could allow an attacker to disrupt system processes, which includes preventing the firewall from doing its job. This would allow an attacker to essentially gain control of the organisation’s firewall rules too. In layman’s terms, an attacker could break down a line of defence to, or within, the network or rewrite the rules and decide who does or does not have access.
It’s important not to panic as there is no evidence that this vulnerability has been exploited in the wild and, for now, there is no proof-of-concept code available. However, as is often the case with this type of serious vulnerability, that could change at any moment. That, combined with the number of publicly accessible PAN-OS devices and the potential risk, means organisations running affected versions of PAN-OS should take the threat seriously and upgrade to a fixed version as soon as possible.” – Rody Quinlan, Security Response Manager at Tenable.