CVE-2020-1978 in VM Series Firewall for Microsoft Azure
Summary
by MITRE
TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability described in CVE-2020-1978 represents a critical security flaw in Palo Alto Networks VM Series firewalls operating in high availability configurations on the Microsoft Azure platform. This issue emerged from the improper handling of sensitive authentication data within system diagnostic files, specifically affecting the VM Series Plugin versions prior to 1.0.9 running on PAN-OS 9.0. The flaw demonstrates a significant weakness in the security configuration management of cloud-based firewall deployments where administrative tools inadvertently expose privileged credentials.
The technical implementation of this vulnerability stems from the generation of tech support files that contain Azure dashboard service account credentials with Contributor-level permissions. These credentials, while not granting direct VM access, provide extensive control over all Azure resources within the subscription. The privilege level equivalent to Contributor role in Azure represents a substantial attack surface since it allows manipulation of virtually all cloud resources except for access control management. This configuration aligns with CWE-259: Use of Hard-coded Credentials and CWE-312: Cleartext Storage of Sensitive Information, as the credentials are embedded within diagnostic files without proper obfuscation or removal mechanisms.
The operational impact of this vulnerability extends beyond simple credential exposure, as it creates potential for unauthorized resource manipulation and compromise within Azure environments. Attackers with access to these credentials could perform actions such as creating, modifying, or deleting virtual machines, storage accounts, network configurations, and other critical infrastructure components. The vulnerability affects only specific configurations - HA setups on Azure platform - which means that non-HA deployments or other cloud providers remain unaffected. This targeted nature suggests a configuration-specific flaw in the Azure plugin implementation rather than a fundamental architectural weakness in the broader firewall platform.
The mitigation strategy implemented by Palo Alto Networks involved immediate removal of existing compromised files and implementation of filtering mechanisms to prevent future occurrences. This approach aligns with ATT&CK technique T1566.001: Phishing: Spearphishing Attachment and T1531: Account Access Removal, as it addresses credential exposure through both reactive and preventive measures. The company's acknowledgment of the issue and subsequent remediation demonstrates proper vulnerability management protocols, including secure deletion of compromised data and implementation of access controls to limit who can access the diagnostic files. The fact that these files were only accessible to authorized Palo Alto Networks personnel with valid credentials provides some protection against unauthorized access, though the initial exposure still constitutes a security incident requiring immediate attention and remediation.
This vulnerability highlights the importance of proper credential management in cloud environments and the need for automated security controls that prevent sensitive data exposure in diagnostic and support files. The incident underscores the necessity of implementing robust configuration management practices and regular security assessments specifically tailored for cloud-based security appliances. Organizations using Palo Alto Networks VM Series firewalls in Azure environments should ensure they are running patched versions and implement additional monitoring for unauthorized access to diagnostic files. The vulnerability serves as a reminder that even well-established security vendors must maintain rigorous security practices to prevent credential exposure in automated system diagnostics and support mechanisms.