• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
06.30.20

Vulnerability SPOT Report

SPOT Report - Palo Alto Networks Authentication Bypass

By Tim Grossner

Palo Alto Networks has released a notification of vulnerability CVE-2020-2021, which exploits a flaw in not validating the signature of the SAML provider. This can be used, if manipulated, to provide an unauthenticated actor access to GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access.

Potential Impact

If SAML is used to authenticate a user/administrator and the SAML profile is not configured to validate the identity provider’s certificate, then any access that is granted by the use of the SAML authentication would be gained by an attacker’s successful exploit of this flaw.

Affected Versions

Palo Alto Networks (All Platforms/VMs):

  • PAN-OS 8.1 versions earlier than 8.1.15.
  • PAN-OS 9.0 versions earlier than 9.0.9.
  • All versions of PAN-OS 8.0.

 

Managing and Mitigating Risk

CVE-2020-2021 has a low attack complexity, requiring no user interaction, no privileges, and has high impact on confidentiality, integrity and availability. It has a CVSS score of 10. There is currently no known proof of concept code or public exploit available, however, USCYBERCOM expects foreign APTs will be developing exploits soon.

The vulnerability is not difficult to mitigate or patch. You can patch by updating to PAN-OS 8.1.15 or 9.0.9 or later, or enable the option to validate the identity provider certificate in the SAML provider server profile configuration, assuming your SAML provider supports such a configuration. Verify with your SAML provider that they support this configuration if you take the mitigation route. You can refer to https://security.paloaltonetworks.com/CVE-2020-2021 for details on patched PAN-OS versions available.

If you are a deepwatch VM customer, deepwatch can locate devices that have potential to have this vulnerability. Your deepwatch VM engineer will be in contact with you regarding whether you have any devices that warrant further investigation.

If you are a deepwatch FW customer, we can review your configuration for the scenario above and help you remediate based on your options.

Detection

Tenable plugin 137880 will detect CVE-2020-2021.

Qualys has not yet published a detection but generally publishes them within 48-72 hours of release, depending on complexity. In the absence of an available detection, any Palo Alto device showing up in your scans running an affected version of PAN-OS should be assumed vulnerable and investigated.

Contributors

  • Tim Grossner, Firewall Engineer

Supporting Information

  • https://security.paloaltonetworks.com/CVE-2020-2021
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2021
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Related Posts

Vulnerability SPOT Report

11.04.20

Oracle WebLogic Vulnerability

read more

Vulnerability SPOT Report

10.19.20

ZeroLogon Threat Review

read more

Vulnerability SPOT Report

10.14.20

Bad Neighbor Vulnerability

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top