On June 29, 2020, Palo Alto Networks published a security advisory for CVE-2020-2021, a vulnerability in the way signatures are verified in the Palo Alto Networks operating system’s (PAN-OS) security assertion markup language (SAML) authentication. The vulnerability exists when SAML authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled, which then allows unauthenticated network-based attackers to access protected resources. According to the advisory, successful exploitation requires that an attacker have network access to the vulnerable server.
Of note: SAML authentication enablement is not the default authentication scheme; however, when SAML authentication is enabled, the Validate Identify Provider Certificate option is disabled by default. For further information, refer to Palo Alto’s notes on conditions required for exposure.
Rapid7’s Project Sonar identified 69,501 instances of Palo Alto’s Global Protect VPN on the public internet. There are no known public exploits for this vulnerability as of June 29, 2020. CVE-2020-2021 has a CVSSv3 base score of 10.0.
Affected products include:
- PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
- PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
- PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
- All versions of PAN-OS 8.0 (EOL)
PAN-OS 7.1 is unaffected, according to Palo Alto’s advisory.
Rapid7 analysis: Like most misconfiguration issues and vulnerabilities affecting authentication mechanisms or cryptographic implementations, Rapid7 researchers rate this vulnerability as having high attacker value. Generally speaking, firewalls, VPNs, and other internet-facing security products are attractive targets for both APT and commodity attackers. The COVID-19 pandemic amplifies this risk, with a large portion of the workforce having moved to remote work in a short period of time—which strains many security and IT teams’ ability to implement strong mitigating controls while maintaining worker accessibility.
While this particular advisory is specific to PAN-OS, it’s likely that other vendors’ SAML implementations are vulnerable to similar issues. Developers and the broader security community would be well-advised to ensure that code with implications for SAML is reviewed thoroughly, since the severity of vulnerabilities affecting authentication mechanisms is inherently high.
Guidance: Palo Alto customers should update PAN-OS to an unaffected version as soon as possible; if you are not able to update, disabling SAML authentication is an effective mitigation strategy. Beyond the specific mitigations for this advisory, we strongly encourage organizations to avoid putting any sort of management appliance, including those running PAN-OS, online in a way that allows public IP access.
