Palo Alto Networks has disclosed CVE-2020-2021, a critical vulnerability within the operating system (PAN-OS) of its next generation firewalls that could allow network-based attackers to bypass authentication. According to the company’s security advisory, the vulnerability exists when Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled, or unchecked. “Improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” the security advisory states. The vulnerability has been rated with the highest possible CVSS 3.x rating of 10.
Affected PAN-OS versions include version 9.1 (before 9.1.3), 9.0 (before 9.0.9), 8.1 (before 8.1.15), and 8.0, except for version 7.1, which is unaffected. The company also states, “For GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies.”
Impacted customers are advised to examine the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above) for signs of compromise before applying mitigation measures. Any unusual usernames or source IP addresses found in these logs and reports are indicators of a compromise.
Regarding mitigation, users are advised to make sure that the ‘Identity Provider Certificate’ is configured, and if the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the Validate Identity Provider Certificate option is enabled in the SAML Identity Provider Server Profile.
Palo Alto Networks states that at the time of the advisory, they have not yet detected evidence of active exploitation. You can find the advisory from Palo Alto with mitigation instructions here: https://security.paloaltonetworks.com/CVE-2020-2021
U.S. CYBERCOM tweeted the advisory with a recommendation to prioritize patching, as “Foreign APTs will likely attempt exploit soon.”