https://live.paloaltonetworks.com/t5/general-topics/workaound-for-pan-os-predictable-temporary-file-vulnerability/m-p/330760#M83824 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62177">@Deepak_K</a>,</P><P>The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.</P><P>&nbsp;</P><P>In short, to take advantage of this vulnerability the attacker would need to:</P><P>1) Gain administrative access to the device.</P><P>- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.</P><P>2) Gain direct shell access.</P><P>- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.</P><P>3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.</P><P>&nbsp;</P><P>The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one.&nbsp;</P> Mon, 01 Jun 2020 02:39:21 GMT BPry 2020-06-01T02:39:21Z https://live.paloaltonetworks.com/t5/general-topics/workaound-for-pan-os-predictable-temporary-file-vulnerability/m-p/330669#M83812 <P>There is no workaround available for this vulnerability&nbsp;</P><P><A href="https://security.paloaltonetworks.com/CVE-2020-1981" target="_blank">https://security.paloaltonetworks.com/CVE-2020-1981</A></P><P>A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation.</P><P>This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance.</P><P>&nbsp;</P><P>We don't want to upgrade software to resolve this issue.</P><P>Can we create password profile as workaround for this vulnerability point ? or please suggest any other alternative.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 30 May 2020 10:21:25 GMT https://live.paloaltonetworks.com/t5/general-topics/workaound-for-pan-os-predictable-temporary-file-vulnerability/m-p/330669#M83812 Deepak_K 2020-05-30T10:21:25Z https://live.paloaltonetworks.com/t5/general-topics/workaound-for-pan-os-predictable-temporary-file-vulnerability/m-p/330760#M83824 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62177">@Deepak_K</a>,</P><P>The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.</P><P>&nbsp;</P><P>In short, to take advantage of this vulnerability the attacker would need to:</P><P>1) Gain administrative access to the device.</P><P>- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.</P><P>2) Gain direct shell access.</P><P>- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.</P><P>3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.</P><P>&nbsp;</P><P>The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one.&nbsp;</P> Mon, 01 Jun 2020 02:39:21 GMT https://live.paloaltonetworks.com/t5/general-topics/workaound-for-pan-os-predictable-temporary-file-vulnerability/m-p/330760#M83824 BPry 2020-06-01T02:39:21Z