CVE-2020-1979: 
PAN-OS vulnerability analysis and mitigation

A format string vulnerability was discovered in the PAN-OS log daemon (logd) on Panorama, identified as CVE-2020-1979. The vulnerability was discovered during an internal security review by Nicholas Newsom of Palo Alto Networks and was disclosed on March 11, 2020. This vulnerability affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama, while PAN-OS 7.1, PAN-OS 9.0, and later versions are not affected (Palo Alto Networks).

The vulnerability is classified as a format string vulnerability (CWE-134) with a CVSSv3.1 Base Score of 8.1 (HIGH), indicating NETWORK attack vector, HIGH attack complexity, and HIGH impact on confidentiality, integrity, and availability. The vulnerability requires no privileges or user interaction, and the scope remains unchanged. The issue specifically affects the management interface of Panorama (Palo Alto Networks).

When exploited, this vulnerability allows a network-based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code. The attacker can bypass the restricted shell and escalate privileges, potentially gaining significant control over the affected system (Palo Alto Networks).

The vulnerability is fixed in PAN-OS 8.1.13 and all later PAN-OS 8.1 versions. For systems that cannot be immediately updated, the issue can be mitigated by following best practices for securing the Panorama management interface. Palo Alto Networks recommends reviewing the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation to reduce exposure of the management interface to potential attackers (Palo Alto Networks).