Cybersecurity researchers on Wednesday revealed four new vulnerabilities in enterprise software used by thousands of companies around the world that, if exploited, could be used to steal data from internal networks.
The bugs in the PAN operating system (PAN-OS) made by Palo Alto Networks add to a growing list of vulnerabilities in widely used corporate software that researchers have uncovered in 2020. Some of those vulnerabilities, such as a flaw in software made by Citrix, have been used in espionage and other hacking operations.
In the case of the PAN-OS flaws, which security firm Positive Technologies found, CyberScoop has not seen evidence that hackers have successfully exploited them. Palo Alto Networks released fixes for all of the vulnerabilities and told customers to apply them.
One of the more critical vulnerabilities could allow a hacker who first accesses the software’s management interface to plant malicious code in the operating system and obtain “maximum privileges” on the system, according to Positive Technologies researchers. Another bug could allow a hacker to take over the software by tricking an administrator to click on a malicious link.
Exploiting those flaws requires accessing the PAN-OS software’s “administrative panel,” a sort of skeleton key for enterprise software. Many organizations house that panel on their internal networks. However, some organizations make it externally accessible, heightening their security risk, said Positive Technologies researcher Mikhail Klyuchnikov.
The string of vulnerabilities found in corporate software this year has prompted warnings from U.S. government agencies, and left some analysts wondering if there’s an underlying problem in coding practices in the industry. And concerns about the software flaws have only been heightened because of companies’ increased reliance on telework during the coronavirus pandemic.
The Department of Homeland Security and U.S. Cyber Command in July urged organizations to update their software to address another vulnerability in PAN-OS. Cyber Command said then that foreign government-linked hackers would soon try to exploit the vulnerability. That same month, researchers found a vulnerability in applications made by software giant SAP that they said affected up to 40,000 SAP customers.