• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
05.15.20

Vulnerability SPOT Report

Palo Alto Networks & Cisco Kerberos Authentication Bypass

By Tim Grossner

Palo Alto Networks and Cisco have each released security advisories for a flaw in their use of the Kerberos protocol.

Researchers from security firm Silverfort discovered the vulnerabilities, which is caused by a mistake in the implementation of the KDC (Kerberos Key Distribution Center) communication. Cisco and Palo Alto Networks have both released patches for the flaw.

The Kerberos protocol is used, in this scenario, by firewalls for authentication of users to administer firewalls.

Potential Impact

By impersonating the KDC, a man-in-the-middle situation between PAN-OS/Cisco ASA and the KDC can be used by an attacker to login to PAN-OS as an administrator. This is a highly complex attack vector, because an attacker would need to intercept two-way communication between the firewall/Panorama and the Kerberos KDC, altering the messages in realtime. Because of that, the attack complexity for this is considered High as well as the impact.

Affected Devices

Palo Alto Networks (All Platforms/VMs):

  • PAN-OS 7.1 versions earlier than 7.1.26.
  • PAN-OS 8.1 versions earlier than 8.1.13.
  • PAN-OS 9.0 versions earlier than 9.0.6.
  • All versions of PAN-OS 8.0.

Cisco ASA (Earlier than):

  • 9.8.4.15
  • 9.9.2.66
  • 9.10.1.37
  • 9.12.3.2
  • 9.13.1.7

* version 9.14.X is not vulnerable.

Managing and Mitigating Risk

Each Common Vulnerability and Exposures (CVE) has been documented below with their exploit capability, impact, and advisory link which will direct organizations to a patch for the impacted devices.

Palo Alto Networks (CVE-2020-2002)

Attack Complexity: High

Impact: High

Description: This vulnerability affects any Palo Alto Networks firewalls running the PAN-OS versions in the list above which are configured to utilize the Kerberos authentication system to authenticate administrators.

Resolution: Software update to a PANOS version outlined above.

Please refer to https://security.paloaltonetworks.com/CVE-2020-2002 for details on patched PAN-OS versions available.

Cisco ASA (CVE-2020-3125)

Attack Complexity: High

Impact: High

Description: This vulnerability affects the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software. This could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access.Resolution: Software update and configuration changes need to happen on vulnerable device(s).

Please refer to https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS for additional details

Detection

At this time there are no known detection or prevention signatures for CVE-2020-2002 or CVE-2020-3125 by either vendor.

Qualys released QID 316611 on May 14 to detect CVE-2020-3125 on Cisco ASAs. At the time of publication, it had not released a detection for CVE-2020-2002 on Palo Altos. At the time of publication, Tenable has not released detections for either vulnerability.

deepwatch will continue to monitor the situation for signatures, use cases, and detections for next-generation firewalls in regards to these two vulnerabilities, and will update customer’s environments when possible.

 

Contributors

Raheem Adams

Timothy Grossner

 

Supporting Information
  • https://security.paloaltonetworks.com/CVE-2020-2002
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-2002
  • https://www.csoonline.com/article/3543838/cisco-and-palo-alto-networks-appliances-impacted-by-kerberos-authentication-bypass.html#tk.rss_all
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3125
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Related Posts

Vulnerability SPOT Report

02.25.21

CVE-2021-21972 - Vulnerability Found in VMware vCenter Servers and Cloud Foundation

read more

Vulnerability SPOT Report

01.27.21

Sudo Vulnerability

read more

Vulnerability SPOT Report

11.04.20

Oracle WebLogic Vulnerability

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top