CVE-2020-1998: PAN-OS: Improper SAML SSO authorization of shared local users
First published: Wed May 13 2020(Updated: )
An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | >=7.1.0<7.1.26 | |
| Palo Alto Networks PAN-OS | >=8.0.0<=8.0.20 | |
| Palo Alto Networks PAN-OS | >=8.1.0<8.1.13 | |
| Palo Alto Networks PAN-OS | >=9.0.0<9.0.6 | |
| Palo Alto Networks PAN-OS | >=9.1.0<9.1.1 |
Remedy
This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.6, PAN-OS 9.1.1, and all later PAN-OS versions. PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-1998?
CVE-2020-1998 has a high severity rating due to its potential for authentication bypass.
How do I fix CVE-2020-1998?
To fix CVE-2020-1998, upgrade to a version of PAN-OS that is not vulnerable, specifically beyond the specified versions in the advisory.
Which versions of PAN-OS are affected by CVE-2020-1998?
CVE-2020-1998 affects PAN-OS versions 7.1.0 to 7.1.26, 8.0.0 to 8.0.20, 8.1.0 to 8.1.13, 9.0.0 to 9.0.6, and 9.1.0 to 9.1.1.
What type of vulnerability is CVE-2020-1998?
CVE-2020-1998 is classified as an improper authorization vulnerability related to SSO authentication.
What consequences can result from CVE-2020-1998?
The consequences of CVE-2020-1998 include potential unauthorized access and privilege escalation due to authentication bypass.
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/7.1.0
- version/palo alto networks pan-os/8.0.0
- version/palo alto networks pan-os/8.0.20
- version/palo alto networks pan-os/8.1.0
- version/palo alto networks pan-os/9.0.0
- version/palo alto networks pan-os/9.1.0