Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible.
The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
About the vulnerability (CVE-2020-2021)
CVE-2020-2021 is an authentication bypass vulnerability that could allow unauthenticated, remote attackers to gain access to and control of the vulnerable devices, change their settings, change access control policies, turn them off, etc.
Affected PAN-OS versions include versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.
Also, the vulnerability is exploitable only if:
- The device is configured to use SAML authentication with single sign-on (SSO) for access management, and
- The “Validate Identity Provider Certificate” option is disabled (unchecked) in the SAML Identity Provider Server Profile
“Resources that can be protected by SAML-based single sign-on (SSO) authentication are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access,” Palo Alto Networks shared.
While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.
“It appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this [vulnerable] configuration or may only work using this configuration,” noted Tenable researcher Satnam Narang.
“These providers include Okta, SecureAuth, SafeNet Trusted Access, Duo, Trusona via Azure AD, Azure AD and Centrify.
Even the PAN-OS 9.1 user guide instructs admins to disable the “Validate Identity Provider Certificate” option that when setting up Duo integration:
The PAN-OS 9.1 user guide, which was apparently last updated 4 days ago (June 25), instructs admins to do just that when setting up DUO integration.
"Disable Validate Identity Provider Certificate, then click OK." pic.twitter.com/KLd78oImzs
— Will Dormann (@wdormann) June 29, 2020
Palo Alto Networks says that there is currently no indication of the vulnerability being under active attack.
But given that SSL VPN flaws in various enterprise solutions have been heavily exploited in the last year or so – both by cybercriminals and nation-state attackers – it is expected that this one will be as soon as a working exploit is developed.
What to do?
As mentioned before, implementing the security updates is the best solution.
Enterprise admins are advised to upgrade to PAN-OS versions 9.1.3, 9.0.9 or 8.1.15 if possible. Palo Alto Networks has provided instructions for doing that in a way that doesn’t break the authentication capability for users.
If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.
Admins can check for indicators of compromise in a variety of logs (authentication logs, User-ID logs, GlobalProtect Logs, etc.)