Critical vulnerability rates a maximum 10 out of 10 in severity

A newly discovered critical authentication bypass flaw in Palo Alto firewalls and VPNs is ripe for exploitation by nation-state attackers, US Cyber Command warns.

The PAN-OS security vulnerability (CVE-2020-2021) rates a maximum 10 out of 10 in severity, according to the CVSSv3.1 scale. PAN-OS is Palo Alto’s custom operating system.

The problem stems from improper verification of cryptographic signatures, as an advisory by Palo Alto explains.

“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” it said. “The attacker must have network access to the vulnerable server to exploit this vulnerability.”

If successfully exploited the vulnerability creates a means for an unauthenticated, remote attacker to obtain access to “protected resources” within a network, network security utility firm Tenable notes. “The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN,” it warns in a blog post.

The vulnerability is resolved in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Similar flaws in SSL VPN appliance, including vulnerabilities in Pulse Connect Secure (CVE-2019-11510) and Citrix Application Delivery Controller and Gateway (CVE-2019-19781), that arose last year have been exploited in an ongoing run of targeted attacks. A previous vulnerability in Palo Alto Networks GlobalProtect (CVE-2019-1579) has also been hit.

“Cybercriminals capitalized on the availability of proof-of-concept (PoC) exploit code for the vulnerabilities and have utilized them in a variety of attacks, from nation-state threats to a rash of ransomware attacks,” according to Tenable.

You can call me SAML

The security flaw is restricted to cases where enterprises use SAML-based authentication in their security appliance setup. Using alternative authentication methods therefore mitigates against the flaw, as explained in Palo Alto’s advisory.

PAN-OS devices can be configured to use SAML authentication with single sign-on (SSO) for access management. This set up is commonly recommended by identity providers, including Duo, Okta, Azure AD, and others, hence the number of potentially vulnerable system could be high.

Disabling cert verification is another necessary precondition for an attack, but this is likewise commonplace in enterprises. The number of organizations that use SAML authentication with single sign-on and disable cert verification is unclear.

Palo Alto credits Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting the security flaw.

The networking firm said it is “not aware of any malicious attempts to exploit this vulnerability”. No working PoC code available for this vulnerability as of yet.

Security experts, including those tied to the US military, nonetheless remain twitchy.

US Cyber Command tweeted: “Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon.”

RELATED Sophos XG Firewall zero-day vulnerability gets patched