Palo Alto Networks disclosed a critical vulnerability found in the operating system (PAN-OS) of all its next-generation firewalls that could allow unauthenticated network-based attackers to bypass authentication.
According to the company’s website, PAN‑OS is the software that powers all of its next-generation firewalls.
“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” the company’s security advisory reads.
Only affects devices where SAML authentication is enabled
The vulnerability tracked as CVE-2020-2021 has been rated as critical severity with a CVSS 3.x base score of 10, and it could be exploited by threat actors with network access to vulnerable servers as part of low complexity attacks.
The table embedded below includes the affected PAN-OS versions and those that received patches from Palo Alto Networks to defend against potential attacks designed to exploit the CVE-2020-2021 vulnerability (the issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all newer versions.)
“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies,” Palo Alto Networks explains.
“There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users.
“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions.”
Second critical vulnerability receiving a base score of 10
Detailed instructions on how to check for the configuration required for exposure and how to mitigate are available in this knowledge base article.
Customers who want to look for signs of compromise before applying mitigation measures or applying the patch are advised to examine the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above).
According to the security advisory, any unusual usernames or source IP addresses found in these logs and reports are indicators of a compromise.
Palo Alto Networks says that no malicious attempts to exploit the CVE-2020-2021 vulnerability were detected until the security advisory was published.
The issue was reported to Palo Alto Networks by Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University.
This is the second vulnerability disclosed by Palo Alto Networks that got a perfect CVSS 3.x base score of 10 since April 27, 2012, according to the companies’ security advisories page.
The other critical security issue that also received a base score of 10 is tracked as CVE-2019-17440 and it is an improper restriction of communication to Log Forwarding Card (LFC) on PA-7000 Series devices that allowed attackers to get root access to PAN-OS.