CVE-2020-1978

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.

CVSS v3 4.4 MEDIUM
CVSS v2.0 1.9 LOW

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.9^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://security.paloaltonetworks.com/CVE-2020-1978	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:paloaltonetworks:vm-series::::::azure::*
	cpe:2.3:o:paloaltonetworks:pan-os:9.0.0:::::::*

History

No history.

Information

Published : 2020-04-08 19:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-1978

Mitre link : CVE-2020-1978

CVE.ORG link : CVE-2020-1978

JSON object : View

Products Affected

paloaltonetworks

vm-series
pan-os

CWE

CWE-522

Insufficiently Protected Credentials

CWE-255

Credentials Management Errors

{"id": "CVE-2020-1978", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 1.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "psirt@paloaltonetworks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.6}]}, "published": "2020-04-08T19:15:13.277", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2020-1978", "tags": ["Vendor Advisory"], "source": "psirt@paloaltonetworks.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Secondary", "source": "psirt@paloaltonetworks.com", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials."}, {"lang": "es", "value": "Los archivos TechSupport generados en los firewalls Palo Alto Networks VM Series para la plataforma Microsoft Azure configurados con alta disponibilidad (HA), recopilan inadvertidamente las credenciales de la cuenta de servicio del panel de Azure. Estas credenciales son equivalentes a las credenciales asociadas con el rol Contributor en Azure. Un usuario con las credenciales podr\u00e1 ser capaz de administrar todos los recursos de Azure en la suscripci\u00f3n, excepto para otorgar acceso a otros recursos. Estas credenciales no permiten el acceso de inicio de sesi\u00f3n a las m\u00e1quinas virtuales por si mismas. Este problema afecta a VM Series Plugin versiones anteriores a 1.0.9 para PAN-OS versi\u00f3n 9.0. Este problema no afecta a VM Series en configuraciones que no sean de alta disponibilidad o sobre otras plataformas en la nube. No afecta al hardware de dispositivos firewall. Desde que se conoci\u00f3 el problema, Palo Alto Networks ha eliminado de manera segura todos los archivos de soporte t\u00e9cnico con las credenciales. Ahora filtramos y eliminamos estas credenciales de todos los archivos TechSupport que nos env\u00edan. Los archivos TechSupport cargados en los sistemas de Palo Alto Networks solo eran accesibles por personal autorizado con credenciales v\u00e1lidas de Palo Alto Networks. No tenemos ninguna evidencia de acceso malicioso o uso de estas credenciales."}], "lastModified": "2020-04-10T15:42:03.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:paloaltonetworks:vm-series:*:*:*:*:*:azure:*:*", "vulnerable": true, "matchCriteriaId": "302372C3-03AD-4C54-9726-76AFAF8E00B8", "versionEndExcluding": "1.0.9", "versionStartIncluding": "1.0"}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:9.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8493281-925D-4BD5-BE4F-2FB9C2CD8F9D"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@paloaltonetworks.com"}