Palo Alto Networks Patches Serious DoS, Code Execution Flaws in PAN-OS

Palo Alto Networks this week announced that it has patched critical and high-severity denial-of-service (DoS) and arbitrary code execution vulnerabilities in its PAN-OS firewall software.


The most serious of the flaws, based on its CVSS score of 9.8, is CVE-2020-2040, a buffer overflow can be exploited by a remote, unauthenticated attacker to disrupt system processes and possibly to execute arbitrary code with root permissions by sending specially crafted requests to the Multi-Factor Authentication (MFA) interface or the Captive Portal.


Another potentially serious vulnerability, classified as high severity and tracked as CVE-2020-2041, allows a remote, unauthenticated attacker to get all PAN-OS services to enter a DoS condition by causing the device to restart and enter maintenance mode.


A vulnerability that can be exploited to disrupt system processes and possibly to execute arbitrary code with root privileges has also been rated high severity, but exploitation requires authentication to the PAN-OS management interface.


The aforementioned vulnerabilities were discovered internally by Palo Alto Networks. However, the company has also published advisories for security holes identified by researchers at Positive Technologies.


According to Positive Technologies, its employees found a total of four vulnerabilities described as cross-site scripting (XSS), OS command injection, and DoS issues.


Exploitation of the OS command injection flaws, both classified as high severity, can allow an attacker with admin privileges to execute arbitrary commands as root.


The XSS vulnerability, which has a CVSS ..

Support the originator by clicking the read the rest link below.