Palo Alto Networks addressed a critical vulnerability, tracked as CVE-2020-2021, in the operating system (PAN‑OS) that powers its next-generation firewalls that could allow unauthenticated network-based attackers to bypass authentication.
“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” reads the security advisory published by the company. “The attacker must have network access to the vulnerable server to exploit this vulnerability.”
The CVE-2020-2021 vulnerability has been rated as critical severity and received a CVSS 3.x base score of 10.
According to Palo Alto Networks the vulnerability impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue doesn’t affect PAN-OS 7.1.
The company confirmed that the vulnerability cannot be exploited if SAML is not used for authentication and if the ‘Validate Identity Provider Certificate’ option is enabled (checked) in the SAML Identity Provider Server Profile.
“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies,” Palo Alto Networks explains.
“There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users.”
In attacks against PAN-OS and Panorama web interfaces, this vulnerability could be exploited by an unauthenticated attacker with network access to log in as an administrator and perform administrative actions.
The good news is that Palo Alto Networks is not aware of attacks in the wild exploiting this vulnerability.
Admins could determine if their installs are vulnerable following the instructions provided by the company in a knowledge base article.
Customers could inspect the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above) to determine if their installs have been compromised.
The presence of unusual usernames or source IP addresses in the logs and reports are indicators of a compromise.
The vulnerability was reported to Palo Alto Networks by Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University.
(SecurityAffairs – hacking, PAN-OS)