// For flags

CVE-2020-1978

VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs

Severity Score

4.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.

Los archivos TechSupport generados en los firewalls Palo Alto Networks VM Series para la plataforma Microsoft Azure configurados con alta disponibilidad (HA), recopilan inadvertidamente las credenciales de la cuenta de servicio del panel de Azure. Estas credenciales son equivalentes a las credenciales asociadas con el rol Contributor en Azure. Un usuario con las credenciales podrá ser capaz de administrar todos los recursos de Azure en la suscripción, excepto para otorgar acceso a otros recursos. Estas credenciales no permiten el acceso de inicio de sesión a las máquinas virtuales por si mismas. Este problema afecta a VM Series Plugin versiones anteriores a 1.0.9 para PAN-OS versión 9.0. Este problema no afecta a VM Series en configuraciones que no sean de alta disponibilidad o sobre otras plataformas en la nube. No afecta al hardware de dispositivos firewall. Desde que se conoció el problema, Palo Alto Networks ha eliminado de manera segura todos los archivos de soporte técnico con las credenciales. Ahora filtramos y eliminamos estas credenciales de todos los archivos TechSupport que nos envían. Los archivos TechSupport cargados en los sistemas de Palo Alto Networks solo eran accesibles por personal autorizado con credenciales válidas de Palo Alto Networks. No tenemos ninguna evidencia de acceso malicioso o uso de estas credenciales.

*Credits: This issue was found by Ranjeet Ramalingam during an internal security review.
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-12-04 CVE Reserved
  • 2020-04-08 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-255: Credentials Management Errors
  • CWE-522: Insufficiently Protected Credentials
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Paloaltonetworks
Search vendor "Paloaltonetworks"
Vm-series
Search vendor "Paloaltonetworks" for product "Vm-series"
>= 1.0 < 1.0.9
Search vendor "Paloaltonetworks" for product "Vm-series" and version " >= 1.0 < 1.0.9"
azure
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
9.0.0
Search vendor "Paloaltonetworks" for product "Pan-os" and version "9.0.0"
-
Affected