CVE-2020-1978: 
PAN-OS vulnerability analysis and mitigation

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collected Azure dashboard service account credentials. This vulnerability was discovered internally and assigned CVE-2020-1978, affecting VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. The issue was specific to VM Series appliances with HA configuration on Microsoft Azure and did not affect non-HA configurations or other cloud platforms (Palo Alto).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.8 (MEDIUM) with the following metrics: Attack Vector: LOCAL, Attack Complexity: LOW, Privileges Required: HIGH, User Interaction: REQUIRED, Scope: UNCHANGED, Confidentiality Impact: HIGH, Integrity Impact: NONE, Availability Impact: HIGH. The vulnerability is classified under CWE-255 (Credentials Management) (Palo Alto).

The exposed credentials were equivalent to those associated with the Contributor role in Azure, allowing users with these credentials to manage all Azure resources in the subscription, except for granting access to other resources. However, these credentials did not provide login access to the VMs themselves. Palo Alto Networks confirmed that the TechSupport files were only accessible by authorized personnel with valid credentials, and no evidence of malicious access or use of these credentials was found (Palo Alto).

The issue was fixed in VM-Series Plugin 1.0.9 for Microsoft Azure. Customers who generated TechSupport files on older versions were advised to change their Azure dashboard credentials and delete any previously generated TechSupport files. The mitigation process included creating a new Service Principal with a Contributor role in the Azure AD Portal, updating the Azure HA configuration with new credentials, and deleting the old Service Principal (Palo Alto).