CVE-2020-1994 – PAN-OS: Predictable temporary file vulnerability
https://notcve.org/view.php?id=CVE-2020-1994
A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7. Una vulnerabilidad de archivo temporal predecible en PAN-OS, permite a un usuario autenticado local con acceso de shell corromper archivos de sistema arbitrarios afectando la integridad del sistema. Este problema afecta: Todas las versiones de PAN-OS 7.1 y 8.0; PAN-OS versiones 8.1 anteriores a 8.1.13; PAN-OS versiones 9.0 anteriores a 9.0.7. • https://security.paloaltonetworks.com/CVE-2020-1994 • CWE-377: Insecure Temporary File •
CVE-2020-1993 – PAN-OS: GlobalProtect Portal PHP session fixation vulnerability
https://notcve.org/view.php?id=CVE-2020-1993
The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8. La funcionalidad GlobalProtect Portal en PAN-OS, no establece un nuevo identificador de sesión después de un inicio de sesión de usuario con éxito, que permite ataques de fijación de sesión, si un atacante es capaz de controlar el ID de sesión de un usuario. Este problema afecta: Todas las versiones de PAN-OS 7.1 y 8.0; PAN-OS versiones 8.1 anteriores a 8.1.14; PAN-OS versiones 9.0 anteriores a 9.0.8. • https://security.paloaltonetworks.com/CVE-2020-1993 • CWE-384: Session Fixation •
CVE-2020-1992 – PAN-OS on PA-7000 Series: Varrcvr daemon network-based denial of service or privilege escalation
https://notcve.org/view.php?id=CVE-2020-1992
A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.2 on PA-7000 Series devices with an LFC installed and configured. This issue requires WildFire services to be configured and enabled. This issue does not affect PAN-OS 8.1 and earlier releases. This issue does not affect any other PA Series firewalls. • https://security.paloaltonetworks.com/CVE-2020-1992 • CWE-134: Use of Externally-Controlled Format String •
CVE-2020-1990 – PAN-OS: Buffer overflow in the management server
https://notcve.org/view.php?id=CVE-2020-1990
A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. This issue does not affect PAN-OS 7.1. Una vulnerabilidad de desbordamiento de búfer en la región stack de la memoria en el componente servidor de administración de PAN-OS, permite a un usuario autenticado cargar una configuración de PAN-OS corrupta y potencialmente ejecutar código con privilegios root. Este problema afecta a Palo Alto Networks PAN-OS versiones 8.1 anteriores a 8.1.13; versiones 9.0 anteriores a 9.0.7. • https://security.paloaltonetworks.com/CVE-2020-1990 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2020-1978 – VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs
https://notcve.org/view.php?id=CVE-2020-1978
TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. • https://security.paloaltonetworks.com/CVE-2020-1978 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •