CVE-2020-1978 : Security Advisory and Response

VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs

Understanding CVE-2020-1978

What is CVE-2020-1978?

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform with HA configuration inadvertently collect Azure dashboard service account credentials, potentially exposing confidential data.

The Impact of CVE-2020-1978

This vulnerability could allow a user with compromised credentials to manage all Azure resources under the subscription, impacting confidentiality and potentially availability. The issue affects specific versions of the VM-Series Plugin on Microsoft Azure.

Technical Details of CVE-2020-1978

Vulnerability Description

The vulnerability lies in unintentional credential collection in TechSupport files, affecting VM-Series Plugin versions prior to 1.0.9 for PAN-OS 9.0 on Microsoft Azure with HA configurations.

Affected Systems and Versions

Product: Palo Alto Networks VM-Series Plugin
Vendor: Palo Alto Networks
Versions: Custom version 1.0, specifically versions less than or equal to 1.0.8

Exploitation Mechanism

Attack Complexity: Low
Privileges Required: High
User Interaction: Required

Mitigation and Prevention

Immediate Steps to Take

Refrain from generating TechSupport files on affected VMs to avoid credential exposure.

Long-Term Security Practices

Upgrade to VM-Series Plugin 1.0.9 for Microsoft Azure to address the issue.
Update Azure dashboard credentials and delete any previously generated TechSupport files.

Patching and Updates

Create a new Service Principal in the Azure AD Portal with a Contributor role and update Azure HA configuration with the new credentials.
Follow provided guidance to ensure secure configurations and service principal updates.