A critical vulnerability existed in the Firewall OS of Palo Alto Networks next-generation firewalls. The bug potentially risked millions of devices.
Palo Alto Firewall OS Vulnerability
Two security researchers found a critical vulnerability in the Palo Alto Firewall OS. Specifically, they found an authentication bypass flaw in the PAN-OS Security Assertion Markup Language (SAML). This PAN-OS powers the next generation firewalls by Palo Alto Networks.
Following the disclosure, researcher Bob Rudis from Rapid7 Labs performed a detailed analysis of the vulnerability. Describing the details of the flaw CVE-2020-2021 in a blog post, the researcher stated,
If SAML is enabled on affected PAN-OS versions and the “Validate Identity Provider Certificate” option is disabled, then remote attackers can use this discovered weakness to bypass authentication and access resources on the protected side of the network.
This exploit, however, won’t work if the ‘Validate Identity Provider Certificate’ option is enabled.
Since SAML-based SSO authentication may protect the following resources, the vulnerability also poses a threat to them.
- GlobalProtect Gateway
- Authentication and Captive Portal
- GlobalProtect Clientless VPN
- GlobalProtect Portal
- PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
- Prisma Access
Vendors Patched The Flaw
Following the report, Palo Alto Networks worked to develop a patch for the flaw. Acknowledging the researchers in their advisory, the vendors labeled the bug as a critical severity flaw that attained a CVSS score of 10.0.
This vulnerability precisely affected the following PAN-OS versions.
- PAN-OS 9.1 versions earlier than 9.1.3
- PAN OS 9.0 versions earlier than 9.0.9
- PAN-OS 8.1 versions earlier than 8.1.15
- All PAN-OS 8.0 (EOL) versions
However, the bug did not affect PAN-OS 7.1.
Consequently, the vendors patched the flaw with the release of PAN-OS versions 9.1.3, 9.0.9, and 8.1.15.
Regarding the vulnerable devices, Rudis stated,
We have no specific Sonar study for GlobalProtect PAN-OS devices, but our combined generic studies discovered just over 69,000 nodes, 28,188 (40.6%) of which are in the U.S.
Fortunately, Palo Alto Networks has confirmed no exploitation of the bugs in the wild. Yet, United States Cyber Command has urged all users to update their respective devices.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
Let us know your thoughts in the comments.