US Cyber Command has warned users to urgently patch a major new vulnerability in PAN-OS, Palo Alto Networks’ operating system for its firewalls and enterprise Virtual Private Network (VPN) appliances. The new vulnerability has the highest possible CVSS score of 10.
The bug gives an attacker the ability to fully bypass a firewall and gain unauthenticated admin access to vulnerable devices: about as bad as it gets, particularly from a security vendor.
“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon”, the Department of Defense organisation warned today. Palo Alto says it has not seen exploits in the wild yet, but given the severity and apparent ease of exploitation, it shouldn’t take long for threat actors to reverse engineer the fix and work out how to exploit the vulnerability,.
The bug will be the second major vulnerability from Palo Alto that has attracted Advanced Persistent Threat (APT) attention in the past year.
CVE-2019-1579 has been widely exploited. (Known vulnerabilities affecting VPN products from Pulse Secure and Fortinet have also been targeted).
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions,” Palo Alto said.
The security company added: “In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0.”
If the web interfaces are only accessible to a restricted management network, then the issue is “lowered” to a CVSS Base Score of 9.6, the company added; hardly a reassuring drop in severity.
For the vulnerability to be exploitable users would have to have Security Assertion Markup Language (SAML) enabled and ‘Validate Identity Provider Certificate’ option disabled. The combination of settings is not unlikely; it’s actively recommended in some circumstances.
The PAN-OS 9.1 user guide, which was apparently last updated 4 days ago (June 25), instructs admins to do just that when setting up DUO integration.
"Disable Validate Identity Provider Certificate, then click OK." pic.twitter.com/KLd78oImzs— Will Dormann (@wdormann) June 29, 2020
SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration.
As security firm Tenable notes, these providers include:
- Okta [Image]
- SecureAuth [Image]
- SafeNet Trusted Access [Image]
- Duo [Image]
- Trusona via Azure AD [Image]
- Azure AD [Image]
- Centrify [Image]
The quickest mitigation for users it to disable SAML authentication. Palo Alto’s guidance on mitigation and upgrades is here.
