Workaound for PAN-OS: Predictable temporary file vulnerability

Reply
Highlighted
L2 Linker

Workaound for PAN-OS: Predictable temporary file vulnerability

There is no workaround available for this vulnerability 

https://security.paloaltonetworks.com/CVE-2020-1981

A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation.

This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance.

 

We don't want to upgrade software to resolve this issue.

Can we create password profile as workaround for this vulnerability point ? or please suggest any other alternative.

 

 

 


Accepted Solutions
Highlighted
Cyber Elite

Re: Workaound for PAN-OS: Predictable temporary file vulnerability

@Deepak_K,

The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.

 

In short, to take advantage of this vulnerability the attacker would need to:

1) Gain administrative access to the device.

- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.

2) Gain direct shell access.

- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.

3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.

 

The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one. 

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Workaound for PAN-OS: Predictable temporary file vulnerability

@Deepak_K,

The vulnerability by itself really wouldn't be something that I would worry about, because you need to actually get direct shell access to the device in order to take advantage of it. PAN-OS already doesn't give a user direct shell access even when authenticated.

 

In short, to take advantage of this vulnerability the attacker would need to:

1) Gain administrative access to the device.

- You hopefully already have this secured by permitted-ips so they would first need to compromise the proper internal machines.

2) Gain direct shell access.

- There are other vulnerabilities that have allowed unrestricted shell access, you'll want to see if any of them actually effect your current PAN-OS release.

3) Lastly exploit this vulnerability to actually gain root access on the underlying operating system.

 

The risk of exploit here is relatively low, and properly securing your management access is going to negate most concern I would ever have of real world exploit. Part of proper management security would be ensuring that admins have a proper password on their account, so I would recommend setting up a good password policy if you aren't already enforcing one. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!