CVE-2020-2018 : Security Advisory and Response

An authentication bypass vulnerability in the Panorama context switching feature allows an attacker to gain privileged access to managed firewalls. This CVE affects PAN-OS versions 7.1.26, 8.1.12, 9.0.6, and all versions of PAN-OS 8.0.

Understanding CVE-2020-2018

This CVE involves an authentication bypass vulnerability in Panorama, impacting various PAN-OS versions.

What is CVE-2020-2018?

This CVE refers to an authentication bypass vulnerability in Panorama, enabling unauthorized privileged access to managed firewalls.

The Impact of CVE-2020-2018

The vulnerability has a CVSS base score of 9, classified as critical due to its high impact on confidentiality, integrity, and availability.

Technical Details of CVE-2020-2018

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability allows attackers with network access to Panorama's management interface to gain privileged access to managed firewalls.

Affected Systems and Versions

PAN-OS 7.1 versions earlier than 7.1.26
PAN-OS 8.1 versions earlier than 8.1.12
PAN-OS 9.0 versions earlier than 9.0.6
All versions of PAN-OS 8.0

Exploitation Mechanism

Attack Complexity: High
Attack Vector: Network
Privileges Required: None
Scope: Changed
User Interaction: None

Mitigation and Prevention

Effective measures to mitigate and prevent exploitation of CVE-2020-2018.

Immediate Steps to Take

Upgrade to PAN-OS 7.1.26, 8.1.12, 9.0.6, or later versions
Enable custom certificates authentication between Panorama and managed firewalls

Long-Term Security Practices

Follow best practices for securing the PAN-OS management interface

Patching and Updates

Upgrading Panorama to a fixed version resolves the issue
Note that PAN-OS 8.0 is no longer covered by Product Security Assurance policies