A VULNERABILITY IN PALO ALTO PAN-OS COULD ALLOW FOR AUTHENTICATION BYPASS

Summary: CVE-2020-2021 has been published regarding a vulnerability in PAN-OS that allows for authentication bypass. This issue is applicable only where SAML authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked) in the SAML Identity Provider Server Profile. This vulnerability can lead to a serious breach in perimeter security measures, update immediately. Mitigations are available if update is not an option.

 

TLP: WHITE

MS-ISAC CYBERSECURITY ADVISORY

 

MS-ISAC ADVISORY NUMBER: 2020-086

 

DATE(S) ISSUED: 06/29/2020

 

SUBJECT: A Vulnerability in Palo Alto PAN-OS Could Allow for Authentication Bypass

 

OVERVIEW:

 

A vulnerability in Palo Alto PAN-OS which could allow for authentication bypass. PAN-OS is an operating system for all Palo Alto Networks next generation firewalls and other products. A network-based attacker could exploit this issue if SAML authentication is enabled on the affected device. Successful exploitation of this vulnerability could allow for an attacker to gain unauthorized access to the affected application and perform actions as an administrator.

 

THREAT INTELLIGENCE: There are currently no reports of this vulnerability being exploited in the wild.

 

SYSTEMS AFFECTED:

PAN-OS Versions 9.1 prior to 9.1.3

PAN-OS Versions 9.0 prior to 9.0.9

PAN-OS All Versions of 8.0

 

RISK:

Government:

Large and medium government entities: High

Small government entities: Medium

Businesses:

Large and medium business entities: High

Small business entities: Medium

Home users: Low

 

TECHNICAL SUMMARY:

A vulnerability in Palo Alto PAN-OS which could allow for authentication bypass. When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources(CVE-2020-2021). Protected resources that an attacker can potentially access include GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access. If the web interfaces are only accessible to a restricted management network then risk of exploitation is lowered. Successful exploitation of this vulnerability could allow for an attacker to gain unauthorized access to the affected application and perform actions as an administrator.

 

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply appropriate patches or appropriate mitigations provided by Palo Alto to vulnerable systems immediately after appropriate testing.

Block external access at the network boundary, unless external parties require service.

If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Check if affected Palo Alto products are implementing SAML (if they are not using SAML you are not impacted)

If updating is not immediately available and the affected products are using SAML, apply mitigations by enabling the ‘Validate Identity Provider Certificate’ option in the SAML Identity Provider Server Profile if allowed. (See below knowledge base reference for additional details)

 

REFERENCES:

 

Palo Alto:

https://security.paloaltonetworks.com/CVE-2020-2021

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2021