SSH hits the fan
Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks.
The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale.
Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods.
“Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises.
“They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.”
US Cyber Command took the unusual step of issuing a warning soon after the vulnerability became public that it was likely to become a target of “foreign APTs” – military parlance for attacks by government-backed hackers.
Randori discovered that a successful attack creates a means for an unauthenticated, remote attacker to obtain access to “protected resources” within a targeted network, though gaining administrative privileges through this route might be tricky.
“In general, Palo Alto Networks has done a good job in recommending configurations that reduce the likelihood that an administrative interface is exposed to the internet,” according to Randori.
PAN-OS, Palo Alto’s custom operating system, is widely adopted in the enterprise world.
Randori concludes: “The mitigation steps by Palo Alto Networks are clear, but the Randori Attack Team has not yet been able to validate if/how IAM [Identity and Access Management]} providers, such as Okta, would be affected by the mitigation, or if the recommended mitigation could negatively impact IAM provider integrations.”
PAN-OS devices can be configured to use SAML authentication with single sign-on (SSO) for access management, a setup recommended by identity providers including Duo Security and Okta, among others.
Okta told The Daily Swig that it was well on top of the issue.
Ben King, chief security officer for the identity management company in EMEA, said: "We have been made aware of a Palo Alto Networks firewall vulnerability impacting all independent identity providers that rely on the SAML protocol, including Okta.
"The vulnerability does not exist within the Okta Identity Cloud, and we have worked with the Palo Alto Networks team to quickly provide instructions for potentially impacted joint customers to resolve the issue."