CVE-2020-1998

Summary

An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS8.0.*affected
Palo Alto NetworksPAN-OS8.1 < 8.1.13affected
Palo Alto NetworksPAN-OS7.1 < 7.1.26affected
Palo Alto NetworksPAN-OS9.0 < 9.0.6affected
Palo Alto NetworksPAN-OS9.1 < 9.1.1affected

Weaknesses

  • CWE-285: CWE-285 Improper Authorization

Workarounds

The impact of this vulnerability can be mitigated by removing shared usernames between local linux users and SAML enabled users.

ADP Enrichment

CVE Program Container

Additional References

References