CVE-2020-2002

Summary

An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users. This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All version of PAN-OS 8.0.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS8.0.*affected
Palo Alto NetworksPAN-OS8.1 < 8.1.13affected
Palo Alto NetworksPAN-OS9.0 < 9.0.6affected
Palo Alto NetworksPAN-OS7.1 < 7.1.26affected

Weaknesses

  • CWE-290: CWE-290 Authentication Bypass by Spoofing

Workarounds

Ensure that PAN-OS communicates to Kerberos server over a secured network with access restricted to trusted users.

Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https://docs.paloaltonetworks.com.

ADP Enrichment

CVE Program Container

Additional References

References