CVE-2020-1996: 
PAN-OS vulnerability analysis and mitigation

A missing authorization vulnerability (CVE-2020-1996) was discovered in the management server component of PAN-OS Panorama. The vulnerability was disclosed on May 13, 2020, affecting multiple versions of PAN-OS including all versions of 7.1 and 8.0, versions earlier than 8.1.14 in PAN-OS 8.1, and versions earlier than 9.0.9 in PAN-OS 9.0. This vulnerability was discovered by Ben Nott of Palo Alto Networks during an internal security review (Palo Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. It is classified as CWE-862 (Missing Authorization) and allows remote unauthenticated users to inject messages into the management server ms.log file (NVD).

The vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file. This could potentially allow attackers to hide their malicious activities by manipulating the logging system (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 8.1.14, 9.0.9, and all later versions. For systems that cannot be immediately updated, attacks against this vulnerability can be blocked with signatures for Unique Threat ID 58197 enabled on a different firewall configured to protect the vulnerable management interfaces. Additionally, following best practices for securing the PAN-OS management interface is strongly recommended (Palo Advisory).