Workaound for PAN-OS: Predictable temporary file vulnerability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Workaound for PAN-OS: Predictable temporary file vulnerability

L3 Networker

There is no workaround available for this vulnerability 

https://security.paloaltonetworks.com/CVE-2020-1981

A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation.

This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance.

 

We don't want to upgrade software to resolve this issue.

Can we create password profile as workaround for this vulnerability point ? or please suggest any other alternative.

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Deepak_K,

The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.

 

In short, to take advantage of this vulnerability the attacker would need to:

1) Gain administrative access to the device.

- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.

2) Gain direct shell access.

- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.

3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.

 

The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one. 

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

@Deepak_K,

The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.

 

In short, to take advantage of this vulnerability the attacker would need to:

1) Gain administrative access to the device.

- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.

2) Gain direct shell access.

- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.

3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.

 

The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one. 

  • 1 accepted solution
  • 2361 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!