Palo Alto Networks has issued a fix for a security hole in its firewall products – one so serious, Uncle Sam urged organizations to patch it ASAP as foreign hackers "will likely attempt to exploit it soon."
IT admins should apply mitigations or update the PAN-OS firmware in their gateways to squash the CVE-2020-2021 bug – a 10-out-of-10 critical vulnerability that allows outside unauthenticated miscreants to gain access to resources protected by the equipment, or hijack the kit itself, depending on its configuration and product type. Here's the official word from Palio Alto this week:
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.
This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.
This issue cannot be exploited if SAML is not used for authentication.
This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile.
The upshot is that a hacker can either potentially access systems protected by vulnerable firewalls, or gain administrative control over the equipment, depending on the product being exploited.
"In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies," said Palo Alto in its advisory.
"There is no impact on the integrity and availability of the gateway, portal, or VPN server.
"In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions."
While Palo Alto said it has not yet seen any exploits targeting the flaw in the wild, the risk is serious enough that the US government's Cyber Command yesterday warned hacking crews are likely to set their sights on the vulnerability:
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
Alternatively to patching, admins can stop using SAML for sign-on, or enable the Validate Identity Provider Certificate option. You can check if SAML is on by using the Server Profiles > SAML Identity Provider menu. It is also recommended administrators restart the device, if possible, to clear out any unauthorized network sessions.
Credit for the discovery and reporting of the flaw went to Salman Khan and Cameron Duck at Monash University in Australia. Khan works in the university's cyber risk and resilience team, while Duck is with the identity services team. ®