Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
06.30.20

SPOT Report – Palo Alto Networks Authentication Bypass

By Tim Grossner, 

Palo Alto Networks has released a notification of vulnerability CVE-2020-2021, which exploits a flaw in not validating the signature of the SAML provider. This can be used, if manipulated, to provide an unauthenticated actor access to GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access.

Potential Impact

If SAML is used to authenticate a user/administrator and the SAML profile is not configured to validate the identity provider’s certificate, then any access that is granted by the use of the SAML authentication would be gained by an attacker’s successful exploit of this flaw.

Affected Versions

Palo Alto Networks (All Platforms/VMs):

  • PAN-OS 8.1 versions earlier than 8.1.15.
  • PAN-OS 9.0 versions earlier than 9.0.9.
  • All versions of PAN-OS 8.0.

Managing and Mitigating Risk

CVE-2020-2021 has a low attack complexity, requiring no user interaction, no privileges, and has high impact on confidentiality, integrity and availability. It has a CVSS score of 10. There is currently no known proof of concept code or public exploit available, however, USCYBERCOM expects foreign APTs will be developing exploits soon.

The vulnerability is not difficult to mitigate or patch. You can patch by updating to PAN-OS 8.1.15 or 9.0.9 or later, or enable the option to validate the identity provider certificate in the SAML provider server profile configuration, assuming your SAML provider supports such a configuration. Verify with your SAML provider that they support this configuration if you take the mitigation route. You can refer to https://security.paloaltonetworks.com/CVE-2020-2021 for details on patched PAN-OS versions available.

If you are a Deepwatch VM customer, Deepwatch can locate devices that have potential to have this vulnerability. Your Deepwatch VM engineer will be in contact with you regarding whether you have any devices that warrant further investigation.

If you are a Deepwatch FW customer, we can review your configuration for the scenario above and help you remediate based on your options.

Detection

Tenable plugin 137880 will detect CVE-2020-2021.

Qualys has not yet published a detection but generally publishes them within 48-72 hours of release, depending on complexity. In the absence of an available detection, any Palo Alto device showing up in your scans running an affected version of PAN-OS should be assumed vulnerable and investigated.

Contributors

  • Tim Grossner, Firewall Engineer

Supporting Information

  • https://security.paloaltonetworks.com/CVE-2020-2021
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2021

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Palo Alto Networks & Cisco Kerberos Authentication Bypass

Next post

F5 Networks BIG-IP Vulnerabilities

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy