Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1274 VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs 9 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VM Series Plugin Publisher: Juniper Networks Operating System: Network Appliance Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-1978 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2020-1978 - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2020-1978 CVE-2020-1978 VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs Severity 5.8 . MEDIUM Attack Vector LOCAL Attack Complexity LOW Privileges Required HIGH User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact NONE Availability Impact HIGH NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: PLUG-3787 Description TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials. Product Status VM-Series Plugin Versions Affected Unaffected 1.0 <= 1.0.8 on Microsoft Azure >= 1.0.9 on Microsoft Azure Required Configuration This issue only affects VM Series appliances with HA configuration on Microsoft Azure. Severity: MEDIUM CVSSv3.1 Base Score: 5.8 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H) Solution This issue is fixed in VM-Series Plugin 1.0.9 for Microsoft Azure. Customers who generated TechSupport files on older versions are advised to change their Azure dashboard credentials. Customers are advised to delete any previously generated TechSupport files. Instructions to change the credentials: 1. Create a new Service Principal with a Contributor role in the Azure AD Portal. Instructions to create a new Service Principal can be found here - https://docs.microsoft.com/en-us/azure/active-directory/develop/ howto-create-service-principal-portal 2. Update your Azure HA configuration in the PA-VM configuration with the new Service Principal credentials. The steps to update the configuration are provided in "Step 3" of the PA-VM Azure HA configuration guide - https:// docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/ set-up-the-vm-series-firewall-on-azure/ configure-activepassive-ha-for-vm-series-firewall-on-azure.html 3. Delete the old Service Principal in the Azure AD Portal that was being used in the Azure HA configuration. Note: If the old Service Principal is used in other applications, then the other applications need to be updated with the new Service Principal. Workarounds and Mitigations Do not generate TechSupport files on the affected VMs. Acknowledgements This issue was found by Ranjeet Ramalingam during an internal security review. Timeline 2020-02-19 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXo6l/GaOgq3Tt24GAQgTww//TH9A6yw2ZdWQu+f2m5siLZkWcmBXVrym DKm4etiorGxSl77se96OQTxPffB+hQsCaOQeP453MPYm1cR2bQ+dp1yW4KMYwIpG TC8p7/awau5iBN4YOlyrP5A1ozNvQ19vrus3in3vM7CqXMtmLwEgyV8U6yUwinhx 7IZPa5Kk85+HcY7Ou1lqcD241zCE5JXMcyI1bBb3kvILCAer0iY94KIqjjalSJtk HHPcAbu7P2VUbkf876PG7cKj8PzHul3fTs7zUcn+C1+lgbqyRrPt5EAN7pUQzvgw YF5ZwwEBOUZP3WLj3yx6ZJfx+lhs6M3Kqjv7SpyR2Vmi7fmmQXnOzXEoMF0Yym8H g8DzzRV0o6hwtGXv0ePDS7+hMOrdj/07AhQGsoq2Sdzgl9a/1wxIYKPG1+Vn99FN /vpRs6GwvgIQqZCW/00fLxRsr6uCf+M9W2bsmdTuGcY+ZILFTtKX1LbdpP7obF8l zsp403+Rx6Jzz/NE5ZfLXNCeQictXA9HBqgvftiVPJgCgxd70YybVLfFabXgJtNt OaLhaXN274dLiBEdqXBZ4aQmegvzG+FNQXAjEFXYLZR4u5r9ju3lObus3WQLH7Ox MsdyakkuMqFrYQsltNRLYh4GgSXyHbwzsXhDUpGLBX+2EFw3dVqNtb8pwUSIbCBE XWmy4c9iLLU= =YoNW -----END PGP SIGNATURE-----