Palo Alto Networks has patched a critical vulnerability in many of its firewalls, VPNs, and security gateways that allows a network attacker to bypass authentication and gain access to sensitive network resources.
The vulnerability lies in the way that the company’s PAN-OS software checks signatures when SAML authentication is enabled and it affects PAN-OS 9.1 versions before 9.1.3, PAN-OS 9.0 versions before 9.0.9, PAN-OS 8.1 versions before 8.1.15, and all versions of PAN-OS 8.0, which is not supported any longer. In order for an attacker to exploit the vulnerability, the target system must have SAML enabled for authentication and the Validate Identity Provider Certificate must be disabled.
“When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability,” the Palo Alto advisory says.
The security assertion markup language (SAML) is a standard that allows identity providers and service providers to share authentication and authorization information and is used in a number of SSO products and solutions.
The vulnerability (CVE-2020-2021) affects a number of Palo Alto products which can be protected by SAML-based single sign-on, including the GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, the PA-Series and VM-Series next-generation firewalls, and the Panorama web interfaces. The consequences of a successful exploit against the vulnerability varies depending on the target system.
“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server,” the Palo Alto advisory says.
“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions.”
On Monday, U.S. Cyber Command warned enterprises to patch quickly, saying attackers would likely be attracted to this vulnerability.
"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon," the group said.
Palo Alto said it is not aware of any current exploitations attempts against the vulnerability, but encouraged customers to upgrade to the fixed versions of PAN-OS as soon as possible. There are a couple of workarounds for the vulnerability for security teams that can’t update immediately, the simplest of which is to use an authentication method other than SAML and disabling SAML authentication altogether.