US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch now

Bogus signatures may fool your corp network's gatekeeper


Palo Alto Networks has issued a fix for a security hole in its firewall products – one so serious, Uncle Sam urged organizations to patch it ASAP as foreign hackers "will likely attempt to exploit it soon."

IT admins should apply mitigations or update the PAN-OS firmware in their gateways to squash the CVE-2020-2021 bug – a 10-out-of-10 critical vulnerability that allows outside unauthenticated miscreants to gain access to resources protected by the equipment, or hijack the kit itself, depending on its configuration and product type. Here's the official word from Palio Alto this week:

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile.

The upshot is that a hacker can either potentially access systems protected by vulnerable firewalls, or gain administrative control over the equipment, depending on the product being exploited.

"In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies," said Palo Alto in its advisory.

"There is no impact on the integrity and availability of the gateway, portal, or VPN server.

"In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions."

While Palo Alto said it has not yet seen any exploits targeting the flaw in the wild, the risk is serious enough that the US government's Cyber Command yesterday warned hacking crews are likely to set their sights on the vulnerability:

Alternatively to patching, admins can stop using SAML for sign-on, or enable the Validate Identity Provider Certificate option. You can check if SAML is on by using the Server Profiles > SAML Identity Provider menu. It is also recommended administrators restart the device, if possible, to clear out any unauthorized network sessions.

Credit for the discovery and reporting of the flaw went to Salman Khan and Cameron Duck at Monash University in Australia. Khan works in the university's cyber risk and resilience team, while Duck is with the identity services team. ®

Broader topics


Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022