Bypass restrictions on Palo Alto’s PAN-OS firewall with this zero-day vulnerability
Specialists from a pentesting course have revealed the finding of a critical flaw in , the operating system present in multiple Palo Alto Networks solutions. According to the report, the exploitation of this flaw would allow threat actors to evade security controls on the affected products.
Below are some details of the reported flaw, in addition to their respective score and identification key in the Common Vulnerability Scoring System (CVSS).
CVE-2020–2035: When Forward Proxy Decryption SSL/TLS mode is configured to decrypt web transactions, The PAN-OS URL filtering feature inspects the HTTP host and URL path headers for policy enforcement in decrypted HTTPS web transactions, but does not parse the Server Name Indication (SNI) field within the TLS Hello Client handshake, which would allow malicious hackers to bypass the security restrictions implemented.
According to the pentesting course specialists, the flaw allows a compromised host on a protected network to dodge any security policy that uses URL filtering on a firewall configured with SSL Decryption in Forward Proxy mode.
This is an average severity vulnerability that received a CVSS score of 5.4/10.
The following are the versions of Palo Alto PAN-OS affected by this flaw: 8.1, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.4-h2, 8.1.5, 8.1.6, 184.108.40.206, 8.1, 7, 8.1.8, 8.1.8-h4, 8.1.8-h5, 8.1.9, 8.1.9-h4, 220.127.116.11, 8.1.12, 8.1.13, 8.1.14, 8.1. 15, 9.0, 9.0.0, 9.0.1, 9.0.2, 9.0.2-h4, 9.0.3, 9.0.3-h2, 9.0.3-h3, 9.0.4, 9.0.5, 9.0.5- h3, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 10.0.
While the flaw could be exploited by unauthenticated remote threat actors, pentesting course specialists have not detected attempts at active exploitation. It is important to remember that the vulnerability has not yet been fixed, so users should remain in the expectation of any new Palo Alto notice related to the flaw.
Originally published at https://www.securitynewspaper.com on August 13, 2020.