U.S. Cyber Command has issued a warning about a maximum severity vulnerability in the Palo Alto Networks’ operating system. While the flaw is not currently being exploited in the wild, it will be. Advanced persistent threat actors are expected to attempt to exploit the flaw so prompt patching is essential. The severity of this flaw should not be underestimated.
The vulnerability, tracked as CVE-2020-2021, is an authentication bypass issue in the PAN-OS, which is used by Palo Alto Networks firewalls. According to Palo Alto Networks, the flaw is exploitable “When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.”
The flaw can be exploited remotely and requires minimal skill and no user interaction. Even though flaw is not a remote code execution vulnerability, it has been assigned the CVSS v3 base score of 10 out of 10. The reason for the high score is exploitation of the flaw would allow an unauthenticated attacker with network access to gain access to web interfaces to login to the firewall as an administrator and potentially take full control of systems or gain access to networks. Exploitation of the flaw could also allow authentication to be bypassed giving attackers access to sensitive data.
Palo Alto Networks says the following products are affected, as all use SAML-based single sign on:
- PAN-OS Next-gen firewalls (PA-Series, VM-Series) and Panorama web interfaces
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Authentication and Captive Portal
- Prisma Access
Palo Alto Networks has corrected the vulnerability in PAN-OS 8.1.15, PAN-OS 9.0.9, and PAN-OS 9.1.3 and all subsequent versions. Immediate patching is essential.
If it is not possible to apply the patch to correct the flaw, there are mitigations that will make it impossible for the vulnerability to be exploited.
Palo Also suggests disabling SAML authentication and using an alternate method for authentication. This can be achieved by completing a) and b):
(a) Ensure that the ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML authentication configuration.
(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the ‘Validate Identity Provider Certificate’ option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA.