A Vulnerability in Palo Alto PAN-OS Could Allow for Authentication Bypass
MS-ISAC ADVISORY NUMBER:2020-086
A vulnerability in Palo Alto PAN-OS which could allow for authentication bypass. PAN-OS is an operating system for all Palo Alto Networks next generation firewalls and other products. A network-based attacker could exploit this issue if SAML authentication is enabled on the affected device. Successful exploitation of this vulnerability could allow for an attacker to gain unauthorized access to the affected application and perform actions as an administrator.
There are currently no reports of this vulnerability being exploited in the wild.
- PAN-OS Versions 9.1 prior to 9.1.3
- PAN-OS Versions 9.0 prior to 9.0.9
- PAN-OS Versions 9.1 prior to 9.1.3 PAN-OS Versions 9.0 prior to 9.0.9 PAN-OS All Versions of 8.0
- Large and medium government entities: HIGH
- Small government entities: MEDIUM
- Large and medium business entities: HIGH
- Small business entities: MEDIUM
A vulnerability in Palo Alto PAN-OS which could allow for authentication bypass. When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources(CVE-2020-2021). Protected resources that an attacker can potentially access include GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access. If the web interfaces are only accessible to a restricted management network then risk of exploitation is lowered. Successful exploitation of this vulnerability could allow for an attacker to gain unauthorized access to the affected application and perform actions as an administrator.
We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Palo Alto to vulnerable systems immediately after appropriate testing.
- Block external access at the network boundary, unless external parties require service.
- If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
- Check if affected Palo Alto products are implementing SAML (if they are not using SAML you are not impacted)
* If updating is not immediately available and the affected products are using SAML, apply mitigations by enabling the 'Validate Identity Provider Certificate' option in the SAML Identity Provider Server Profile if allowed. (See below knowledge base reference for additional details)