Palo Alto Networks disclosed a critical vulnerability found in the operating system (PAN-OS) of all its next-generation firewalls that could allow unauthenticated network-based attackers to bypass authentication.
According to the company's website, PAN‑OS is the software that powers all of its next-generation firewalls.
"When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources," the company's security advisory reads.
While the 'Validate Identity Provider Certificate' option shouldn't normally be disabled, this is the recommended choice in official deployment guidelines provided by Microsoft, Okta, Ping Identity, Duo, and SecureAuth, as discovered by Rapid7's Bob Rudis.
"We have no specific Sonar study for GlobalProtect PAN-OS devices, but our combined generic studies discovered just over 69,000 nodes, 28,188 (40.6%) of which are in the U.S," Rudis also said.
United States Cyber Command also warned on Twitter that foreign APT groups will likely attempt to exploit Palo Alto firewalls not patched against this vulnerability.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
https://t.co/WwJdil5X0F
Only affects devices where SAML authentication is enabled
The vulnerability tracked as CVE-2020-2021 has been rated as critical severity with a CVSS 3.x base score of 10, and it could be exploited by threat actors with network access to vulnerable servers as part of low complexity attacks.
The table embedded below includes the affected PAN-OS versions and those that received patches from Palo Alto Networks to defend against potential attacks designed to exploit the CVE-2020-2021 vulnerability (the issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all newer versions.)
| Versions | Affected | Unaffected |
|---|---|---|
| 9.1 | >= 9.1.3 | |
| 9.0 | >= 9.0.9 | |
| 8.1 | >= 8.1.15 | |
| 8.0 | 8.0.* | |
| 7.1 | 7.1.* |
"In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies," Palo Alto Networks explains.
"There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users.
"In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions."
Resources that could be protected with SAML-based single sign-on (SSO) auth and potentially vulnerable to attacks include:
• GlobalProtect Gateway,
• GlobalProtect Portal,
• GlobalProtect Clientless VPN,
• Authentication and Captive Portal,
• PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,
• Prisma Access
Second critical vulnerability receiving a base score of 10
Detailed instructions on how to check for the configuration required for exposure and how to mitigate are available in this knowledge base article.
Customers who want to look for signs of compromise before applying mitigation measures or applying the patch are advised to examine the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above).
According to the security advisory, any unusual usernames or source IP addresses found in these logs and reports are indicators of a compromise.
Palo Alto Networks says that no malicious attempts to exploit the CVE-2020-2021 vulnerability were detected until the security advisory was published.
The issue was reported to Palo Alto Networks by Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University.
This is the second vulnerability disclosed by Palo Alto Networks that got a perfect CVSS 3.x base score of 10 since April 27, 2012, according to the companies' security advisories page.
The other critical security issue that also received a base score of 10 is tracked as CVE-2019-17440 and it is an improper restriction of communication to Log Forwarding Card (LFC) on PA-7000 Series devices that allowed attackers to get root access to PAN-OS.
Update June 29, 17:49 EDT: Added info on the estimated number of vulnerable devices.
.jpg)
Comments
Some-Other-Guy - 3 years ago
WHAAAAAAA?
Backdoored Firewalls are insecure?????
WHO KNEW?