CVE-2020-1978

VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.

Los archivos TechSupport generados en los firewalls Palo Alto Networks VM Series para la plataforma Microsoft Azure configurados con alta disponibilidad (HA), recopilan inadvertidamente las credenciales de la cuenta de servicio del panel de Azure. Estas credenciales son equivalentes a las credenciales asociadas con el rol Contributor en Azure. Un usuario con las credenciales podrá ser capaz de administrar todos los recursos de Azure en la suscripción, excepto para otorgar acceso a otros recursos. Estas credenciales no permiten el acceso de inicio de sesión a las máquinas virtuales por si mismas. Este problema afecta a VM Series Plugin versiones anteriores a 1.0.9 para PAN-OS versión 9.0. Este problema no afecta a VM Series en configuraciones que no sean de alta disponibilidad o sobre otras plataformas en la nube. No afecta al hardware de dispositivos firewall. Desde que se conoció el problema, Palo Alto Networks ha eliminado de manera segura todos los archivos de soporte técnico con las credenciales. Ahora filtramos y eliminamos estas credenciales de todos los archivos TechSupport que nos envían. Los archivos TechSupport cargados en los sistemas de Palo Alto Networks solo eran accesibles por personal autorizado con credenciales válidas de Palo Alto Networks. No tenemos ninguna evidencia de acceso malicioso o uso de estas credenciales.

*Credits: This issue was found by Ranjeet Ramalingam during an internal security review.

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-04 CVE Reserved
2020-04-08 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors
CWE-522: Insufficiently Protected Credentials

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.paloaltonetworks.com/CVE-2020-1978	2020-04-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Paloaltonetworks Search vendor "Paloaltonetworks"		Vm-series Search vendor "Paloaltonetworks" for product "Vm-series"				>= 1.0 < 1.0.9 Search vendor "Paloaltonetworks" for product "Vm-series" and version " >= 1.0 < 1.0.9"		azure		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				9.0.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "9.0.0"		-		Affected