SPOT Report – Palo Alto Networks Authentication Bypass
By Tim Grossner,
Palo Alto Networks has released a notification of vulnerability CVE-2020-2021, which exploits a flaw in not validating the signature of the SAML provider. This can be used, if manipulated, to provide an unauthenticated actor access to GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access.
If SAML is used to authenticate a user/administrator and the SAML profile is not configured to validate the identity provider’s certificate, then any access that is granted by the use of the SAML authentication would be gained by an attacker’s successful exploit of this flaw.
Palo Alto Networks (All Platforms/VMs):
- PAN-OS 8.1 versions earlier than 8.1.15.
- PAN-OS 9.0 versions earlier than 9.0.9.
- All versions of PAN-OS 8.0.
Managing and Mitigating Risk
CVE-2020-2021 has a low attack complexity, requiring no user interaction, no privileges, and has high impact on confidentiality, integrity and availability. It has a CVSS score of 10. There is currently no known proof of concept code or public exploit available, however, USCYBERCOM expects foreign APTs will be developing exploits soon.
The vulnerability is not difficult to mitigate or patch. You can patch by updating to PAN-OS 8.1.15 or 9.0.9 or later, or enable the option to validate the identity provider certificate in the SAML provider server profile configuration, assuming your SAML provider supports such a configuration. Verify with your SAML provider that they support this configuration if you take the mitigation route. You can refer to https://security.paloaltonetworks.com/CVE-2020-2021 for details on patched PAN-OS versions available.
If you are a Deepwatch VM customer, Deepwatch can locate devices that have potential to have this vulnerability. Your Deepwatch VM engineer will be in contact with you regarding whether you have any devices that warrant further investigation.
If you are a Deepwatch FW customer, we can review your configuration for the scenario above and help you remediate based on your options.
Tenable plugin 137880 will detect CVE-2020-2021.
Qualys has not yet published a detection but generally publishes them within 48-72 hours of release, depending on complexity. In the absence of an available detection, any Palo Alto device showing up in your scans running an affected version of PAN-OS should be assumed vulnerable and investigated.
- Tim Grossner, Firewall Engineer