05-30-2020 03:21 AM
There is no workaround available for this vulnerability
https://security.paloaltonetworks.com/CVE-2020-1981
A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation.
This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance.
We don't want to upgrade software to resolve this issue.
Can we create password profile as workaround for this vulnerability point ? or please suggest any other alternative.
05-31-2020 07:39 PM
The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.
In short, to take advantage of this vulnerability the attacker would need to:
1) Gain administrative access to the device.
- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.
2) Gain direct shell access.
- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.
3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.
The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one.
05-31-2020 07:39 PM
The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.
In short, to take advantage of this vulnerability the attacker would need to:
1) Gain administrative access to the device.
- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.
2) Gain direct shell access.
- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.
3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.
The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
