Palo Alto PAN-OS up to 7.1.x/8.1.13/9.0.6 Configuration Daemon Request input validation

Summaryinfo

A vulnerability classified as problematic has been found in Palo Alto PAN-OS up to 7.1.x/8.1.13/9.0.6. The impacted element is an unknown function of the component Configuration Daemon. Performing a manipulation as part of Request results in input validation. This vulnerability is reported as CVE-2020-2011. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, was found in Palo Alto PAN-OS up to 7.1.x/8.1.13/9.0.6 (Firewall Software). This affects some unknown processing of the component Configuration Daemon. The manipulation as part of a Request leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on availability. The summary by CVE is:

An improper input validation vulnerability in the configuration daemon of Palo Alto Networks PAN-OS Panorama allows for a remote unauthenticated user to send a specifically crafted registration request to the device that causes the configuration service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS Panorama services by restarting the device and putting it into maintenance mode. This issue affects: All versions of PAN-OS 7.1, PAN-OS 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7; PAN-OS 9.1 versions earlier than 9.1.0.

The weakness was disclosed 05/13/2020. This vulnerability is uniquely identified as CVE-2020-2011 since 12/04/2019. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.

Upgrading to version 8.1.14, 9.0.7 or 9.1.0 eliminates this vulnerability.

The entries VDB-155221, VDB-155220, VDB-155219 and VDB-155218 are pretty similar. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• Palo Alto

Name

• PAN-OS

Version

• 7.0
• 7.1
• 8.1.0
• 8.1.1
• 8.1.2
• 8.1.3
• 8.1.4
• 8.1.5
• 8.1.6
• 8.1.7
• 8.1.8
• 8.1.9
• 8.1.10
• 8.1.11
• 8.1.12
• 8.1.13
• 9.0.0
• 9.0.1
• 9.0.2
• 9.0.3
• 9.0.4
• 9.0.5
• 9.0.6

License

• commercial

Website

• Vendor: https://www.paloaltonetworks.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion