Preface: The firewall does not display the Captive Portal web form to users until you Configure Authentication Policy rules that trigger authentication when users request services or applications.

Vulnerability details: A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.

When a program (or subroutine) executes, it has a certain area of memory set aside called a stack (used for storing dynamically allocated variables). The stack also stores a return address to the program that invoked it. This allows a return to the code that was executing before the subroutine was called.

The goal of a buffer overflow attack is to overwrite the area of the stack where the return address is stored. The overwritten data will contain a new memory address pointing to the code that give a way for attacker to execute arbitrary code with privileges.

Official announcement: https://security.paloaltonetworks.com/CVE-2020-2040