CVE-2020-2021 : Palo alto Networks Vulnerability, Patch now!

Image retrieved from https://sg.channelasia.tech/article/671366/ntt-edges-closer-palo-alto-networks-underpinned-by-managed-security-services/

 

Palo Alto Networks is an American multinational cybersecurity agency with headquarters in Santa Clara, California. Its core merchandise is a platform that includes superior firewalls and cloud-based total services that extend those firewalls to cover other aspects of security. The organization serves over 60,000 agencies in over 150 countries, including 85 of the Fortune 100.


On June 29, Palo Alto Networks published an advisory for a vital vulnerability in PAN-OS. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) makes use of in their next-era firewalls. Palo Alto launched information on CVE-2020-2021, a new, essential weak spot in SAML authentication on PAN-OS devices. PAN engineers stated the malicious program is handiest exploitable if the 'Validate Identity Provider Certificate' option is disabled and if SAML (Security Assertion Markup Language) is enabled.

 

This vulnerability impacts:

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3

PAN-OS 9.0 versions earlier than PAN-OS 9.0.9

PAN-OS 8.1 versions earlier than PAN-OS 8.1.15

All versions of PAN-OS 8.0 (EOL)

However, it does not affect PAN-OS 7.1.

 

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (think Okta, Duo, etc.) to pass authorization credentials to service providers which means you could use one set of credentials to get right of entry to many different web sites or, in this case, devices.


If SAML is enabled on affected PAN-OS versions and the “Validate Identity Provider Certificate'” option is disabled, then far off attackers can use this located weak point to bypass authentication and get entry to resources at the protected aspect of the network. It is important to note that Palo Alto strongly discourages disabling identity provider certificate validation in its setup documentation.
Attackers require network get admission to take benefit of this weak point, which means that users of Palo Alto’s Global Protect VPN are at risk of this vulnerability if configured with SAML authentication and identity provider certificate validation is disabled.

Palo Alto Networks has released patches for PAN-OS 8.x and 9.0.x and 9.1.x. PAN-OS 7.1 is not affected by this vulnerability. The following table lists the PAN-OS affected and fixed versions.

 

PAN-OS Version

Vulnerable

Affected versions

Fixed Versions

7.1

No

-

-

8.0.x

Yes

8.0.0 and greater

 

-

8.1.x

Yes

8.1.15 and lesser

8.1.15 and greater

9.0.x

Yes

9.0.9 and lesser

9.0.9 and greater

9.1.x

Yes

9.1.3 and lesser

9.1.3 and greater

 

If upgrading is not feasible currently, Palo Alto Networks provides mitigation options. The quickest solution would be to disable SAML authentication altogether and switch to a different authentication method.

  1. If available, use a certificate from an identity provider (IdP) that is signed by a certificate authority (CA)
  2. Enable the “Validate Identity Provider Certificate” option

Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.

 

For more information on this vulnerability visit Palo Alto Networks https://security.paloaltonetworks.com/CVE-2020-2021

Add comment