Palo Alto Networks Patches Critical Vulnerability in Firewall Operating System


Palo Alto nets

Palo Alto Networks revealed a critical vulnerability found in the operating system (PAN-OS) of all its next-generation firewalls that could allow unauthenticated network-based attackers to bypass authentication.

According to the company’s website, PAN-OS is the software that powers all of its next-generation firewalls.

“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), incorrect verification of signatures in SAML PAN-OS authentication allows a unauthenticated network-based attacker accessing protected resources. ” Read the company’s safety notice.

While the ‘Validate Identity Provider Certificate’ option should normally not be disabled, this is the option recommended in the official implementation guidelines provided by Microsoft, Okta, Ping Identity, Duo and SecureAuth, as discovered by Bob Rudis of Rapid7.

“We don’t have a specific Sonar study for GlobalProtect PAN-OS devices, but our combined generic studies discovered more than 69,000 nodes, 28,188 (40.6%) of which are in the United States,” said Rudis.

The United States Cyber ​​Command also warned on Twitter that foreign APT groups are likely to attempt to exploit Palo Alto firewalls that have not been patched against this vulnerability.

Only affects devices where SAML authentication is enabled

The vulnerability tracked as CVE-2020-2021 has been rated Critical Severity with a CVSS 3.x base score of 10, and could be exploited by threat actors with network access to vulnerable servers as part of low complexity attacks .

The table below lists the affected PAN-OS versions and those that received patches from Palo Alto Networks to defend against possible attacks designed to exploit the CVE-2020-2021 vulnerability (problem is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3 and all newer versions).

Versions Affected Unaffected
9.1 > = 9.1.3
9.0 > = 9.0.9
8.1 > = 8.1.15
8.0 8.0. *
7.1 7.1. *

“For GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to affected servers can access protected resources if allowed by configured authentication and security policies ” Explain

“There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or alter the sessions of regular users.

“For PAN-OS and Panorama web interfaces, this problem allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as administrator and take administrative action.”

CVE-2020-2021

Second critical vulnerability that receives a base score of 10

Detailed instructions on how to verify the required exposure settings and how to mitigate are available in this knowledge base article.

Customers who want to look for signs of compromise before applying mitigation measures or applying the patch are encouraged to examine authentication records, user ID records, source / destination regions of ACC network activity (leveraging the feature Global Filter), Custom Reports (Monitor> Report) and GlobalProtect Logs (PAN-OS 9.1.0 and higher).

According to the security advisory, any unusual username or source IP address found in these logs and reports are indicators of a compromise.

Palo Alto Networks says that malicious attempts to exploit the CVE-2020-2021 vulnerability were not detected until the security advisory was released.

The problem was reported to Palo Alto Networks by Salman Khan of the Cyber ​​Risk and Resilience Team and Cameron Duck of the Identity Services Team at Monash University.

This is the second vulnerability revealed by Palo Alto Networks that has obtained a perfect CVSS 3.x score of 10 since April 27, 2012, according to the companies’ security advisory page.

The other critical security issue that also received a base score of 10 is tracked as CVE-2019-17440 and is an inadequate restriction of communication to Log Forwarding Card (LFC) on PA-7000 series devices that allowed attackers get access to the PAN-OS root.

Update June 29, 5:49 PM EDT: Added information about the estimated number of vulnerable devices.