Palo Alto Networks & Cisco Kerberos Authentication Bypass
By Tim Grossner
Palo Alto Networks and Cisco have each released security advisories for a flaw in their use of the Kerberos protocol.
Researchers from security firm Silverfort discovered the vulnerabilities, which is caused by a mistake in the implementation of the KDC (Kerberos Key Distribution Center) communication. Cisco and Palo Alto Networks have both released patches for the flaw.
The Kerberos protocol is used, in this scenario, by firewalls for authentication of users to administer firewalls.
By impersonating the KDC, a man-in-the-middle situation between PAN-OS/Cisco ASA and the KDC can be used by an attacker to login to PAN-OS as an administrator. This is a highly complex attack vector, because an attacker would need to intercept two-way communication between the firewall/Panorama and the Kerberos KDC, altering the messages in realtime. Because of that, the attack complexity for this is considered High as well as the impact.
Palo Alto Networks (All Platforms/VMs):
- PAN-OS 7.1 versions earlier than 7.1.26.
- PAN-OS 8.1 versions earlier than 8.1.13.
- PAN-OS 9.0 versions earlier than 9.0.6.
- All versions of PAN-OS 8.0.
Cisco ASA (Earlier than):
* version 9.14.X is not vulnerable.
Managing and Mitigating Risk
Each Common Vulnerability and Exposures (CVE) has been documented below with their exploit capability, impact, and advisory link which will direct organizations to a patch for the impacted devices.
Palo Alto Networks (CVE-2020-2002)
Attack Complexity: High
Description: This vulnerability affects any Palo Alto Networks firewalls running the PAN-OS versions in the list above which are configured to utilize the Kerberos authentication system to authenticate administrators.
Resolution: Software update to a PANOS version outlined above.
Please refer to https://security.paloaltonetworks.com/CVE-2020-2002 for details on patched PAN-OS versions available.
Cisco ASA (CVE-2020-3125)
Attack Complexity: High
Description: This vulnerability affects the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software. This could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access.Resolution: Software update and configuration changes need to happen on vulnerable device(s).
Please refer to https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS for additional details
At this time there are no known detection or prevention signatures for CVE-2020-2002 or CVE-2020-3125 by either vendor.
Qualys released QID 316611 on May 14 to detect CVE-2020-3125 on Cisco ASAs. At the time of publication, it had not released a detection for CVE-2020-2002 on Palo Altos. At the time of publication, Tenable has not released detections for either vulnerability.
Deepwatch will continue to monitor the situation for signatures, use cases, and detections for next-generation firewalls in regards to these two vulnerabilities, and will update customer’s environments when possible.