Critical authentication bypass vulnerability in PAN-OS devices could be exploited in certain configurations, which are commonly recommended by identity providers.
Background
On June 29, Palo Alto Networks published an advisory for a critical vulnerability in PAN-OS. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) uses in their next-generation firewalls.
Analysis
CVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in PAN-OS. The vulnerability was given a CVSSv3.1 score of 10.0 by Palo Alto Networks. According to their advisory, the flaw exists due to “improper verification of signatures.” An unauthenticated, remote attacker could exploit the vulnerability to obtain access to “protected resources” within a network. The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN.
If you use Palo-Alto firewalls with SAML -- particularly with GlobalProtect VPN -- you probably want to urgently patch this.
— Kevin Beaumont (@GossiTheDog) June 29, 2020
Also researchers should probably avoid disclosing details publicly for a window to give orgs time to mitigate.https://t.co/vh18ZgsurC
PAN-OS devices may be configured to use SAML authentication with single sign-on (SSO) for access management. Palo Alto Networks lists the following resources that use SAML SSO as potentially affected by this vulnerability:
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Authentication and Captive Portal
- PAN-OS next-gen firewalls including:
Vulnerability Prerequisites
The advisory specifies that this vulnerability could be exploited when the following conditions are met:
Prerequisite #1: SAML authentication required.
As implied in the vulnerability description, a device must be configured to use SAML authentication in order to be vulnerable. If the device is not configured to use SAML authentication, it is not vulnerable.
Prerequisite #2: “Validate Identity Provider Certificate” must be disabled.
Under the SAML Identity Provider Server Profile configuration section, the “Validate Identity Provider Certificate” option needs to be disabled (unchecked) in order for the device to be vulnerable.
Recommended Configurations from Notable Providers
While these prerequisites may seem uncommon, it appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration. These providers include:
- Okta [Image]
- SecureAuth [Image]
- SafeNet Trusted Access [Image]
- Duo [Image]
- Trusona via Azure AD [Image]
- Azure AD [Image]
- Centrify [Image]
SSL VPN Flaws: A History Lesson
In 2019, several notable SSL virtual private network (VPN) flaws were disclosed by researchers, including a critical pre-authentication vulnerability in Palo Alto Networks' GlobalProtect. Several other SSL VPN flaws were disclosed, including the following:
| CVE | Product | Exploited | Blogs |
|---|---|---|---|
| CVE-2019-1579 | Palo Alto Networks GlobalProtect | Yes | 1 |
| CVE-2019-11510 | Pulse Connect Secure | Yes | 1, 2, 3 |
| CVE-2018-13379 | Fortinet FortiGate SSL VPN | Yes | 1 |
| CVE-2019-19781 | Citrix Application Delivery Controller and Gateway | Yes | 1, 2, 3 |
Cybercriminals capitalized on the availability of proof-of-concept (PoC) exploit code for the vulnerabilities and have utilized them in a variety of attacks, from nation-state threats to a rash of ransomware attacks. These flaws have remained popular in 2020, as the Cybersecurity Infrastructure Security Agency lists a few of these flaws as being “routinely exploited by sophisticated foreign cyber actors.”
Several notablesecurityresearchers as well as the United States Cyber Command have warned that CVE-2020-2021 will likely be leveraged by attackers in the near future.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
https://t.co/WwJdil5X0F
Proof of concept
At the time this blog post was published, there was no working PoC code available for this vulnerability. However, we expect a PoC will become available in the near future.
Solution
Palo Alto Networks has released patches for PAN-OS 8.x and 9.0.x and 9.1.x. PAN-OS 7.1 is not affected by this vulnerability. The following table lists the PAN-OS affected and fixed versions.
| PAN-OS Version | Vulnerable | Affected Versions | Fixed Versions |
|---|---|---|---|
| 7.1 | No | - | - |
| 8.0.x | Yes | 8.0.0 and greater | - |
| 8.1.x | Yes | 8.1.15 and lesser | 8.1.15 and greater |
| 9.0.x | Yes | 9.0.9 and lesser | 9.0.9 and greater |
| 9.1.x | Yes | 9.1.3 and lesser | 9.1.3 and greater |
Tenable strongly encourages patching your PAN-OS devices whether or not your devices have the specific prerequisites required for exploitation.
If upgrading is not feasible at this time, Palo Alto Networks provides several mitigation options. The quickest solution would be to disable SAML authentication altogether and switch to a different authentication method.
Additional mitigation options include:
- If available, use a certificate from an identity provider (IdP) that is signed by a certificate authority (CA)
- Enable the “Validate Identity Provider Certificate” option
The reason providers suggest disabling the “Validate Identity Provider Certificate” option is because they are using self-signed certificates, which will not work when “Validate Identity Provider Certificate” is enabled. If the provider does offer a CA-signed certificate, it is strongly recommended to use that certificate with the option enabled.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Because the vulnerability is configuration dependent, our plugins will detect potentially vulnerable hosts that would then need to be manually confirmed to be vulnerable based on the specific deployment scenarios. With the design of this plugin, users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.
We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.
Enabling Paranoid Mode
To enable this setting for Nessus and Tenable.io users:
- Click Assessment > General > Accuracy
- Enable the “Show potential false alarms” option
To enable this setting for Tenable.sc (formerly SecurityCenter) users:
- Click Assessment > Accuracy
- Click the drop-down box and select “Paranoid (more false alarms)”
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.