A Vulnerability in Palo Alto PAN-OS Could Allow for Authentication Bypass

ITS Advisory Number: 
2020-085
Date(s) Issued: 
Monday, June 29, 2020
Subject: 
A Vulnerability in Palo Alto PAN-OS Could Allow for Authentication Bypass
Overview: 

A vulnerability in Palo Alto PAN-OS which could allow for authentication bypass. PAN-OS is an operating system for all Palo Alto Networks next generation firewalls and other products. A network-based attacker could exploit this issue if SAML authentication is enabled on the affected device. Successful exploitation of this vulnerability could allow for an attacker to gain unauthorized access to the affected application and perform actions as an administrator.

 

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

Systems Affected: 
  • PAN-OS Versions 9.1 prior to 9.1.3
  • PAN-OS Versions 9.0 prior to 9.0.9
  • PAN-OS All Versions of 8.0
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability in Palo Alto PAN-OS which could allow for authentication bypass. When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources(CVE-2020-2021). Protected resources that an attacker can potentially access include GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access. If the web interfaces are only accessible to a restricted management network then risk of exploitation is lowered. Successful exploitation of this vulnerability could allow for an attacker to gain unauthorized access to the affected application and perform actions as an administrator.

Actions: 
  • After appropriate testing, immediately apply appropriate patches or appropriate mitigations provided by Palo Alto to vulnerable systems. 
  • Check if affected Palo Alto products are implementing SAML. (if they are not using SAML you are not impacted)
  • If updating is not immediately available and the affected products are using SAML, apply mitigations by enabling the 'Validate Identity Provider Certificate' option in the SAML Identity Provider Server Profile if allowed. (See below knowledge base reference for additional details)
  • Block external access at the network boundary, unless external parties require service.
  • If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.