Palo Alto Networks Vulnerability Could Be Exploited By Foreign Hackers: Feds

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML [Security Assertion Markup Language] is in use. Foreign APTs [Advanced Persistent Threat groups] will likely attempt exploit soon,” the U.S. Cyber Command said on Twitter Monday.

A critical security vulnerability found in many Palo Alto Networks network appliances could be exploited by foreign nation-state actors, according to the U.S. government.

The flaw allows remote attackers to bypass authentication and execute arbitrary code on vulnerable systems, which in turn could allow for a full compromise of an organization’s network and systems, according to a Palo Alto Networks security advisory. The flaw, designated CVE-2020-2021, affects how software that runs Palo Alto Networks devices implements Security Assertion Markup Language (SAML).

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” the U.S. Cyber Command tweeted Monday afternoon. “Foreign APTs [Advanced Persistent Threat groups] will likely attempt exploit soon.”

[Related: Palo Alto Networks CEO Arora: ‘Eventually Great Products Win’]

The vulnerability affects software that powers several Palo Alto Networks firewalls and enterprise VPN appliances, and allows attackers under certain conditions to take control of a device without needing a password. Once adversaries have control over a device, they can leverage that to gain access to the rest of the network.

Software updates pushed out by Palo Alto Networks Monday included a fix for the vulnerability, plus the company said organizations can switch off SAML – which is a way of letting users log in to the network – to address the flaw. There isn’t currently any evidence of hackers actively exploiting this vulnerability, according to Palo Alto Networks.

Users are at risk if the SAML authentication is enabled and the ‘validate identity provider certificate’ option is disabled since improper verification of signatures can allow an unauthenticated network-based attacker to access protected resources. An unauthenticated attacker with network access could exploit this flaw to obtain sensitive information, the U.S. Cybersecurity and Infrastructure Security Agency said.

Palo Alto Networks products that allow for SAML-based single sign-on are susceptible to this vulnerability. They include: PAN-OS next generation firewalls and Panorama web interfaces; GlobalProtect Gateway; GlobalProtect Portal; GlobalProtect Clientless VPN; Authentication and Captive Portal; and Prisma Access.

In the worst-case scenario, Palo Alto Networks said this vulnerability allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. This is a critically severe flaw, meriting the highest possible rating of 10.0. Only one other Palo Alto Networks vulnerability has received a 10.0 rating since April 2012.

For the other impacted protects, Palo Alto Networks said an unauthenticated attacker with network access to the affected servers could gain access to protected resources if allowed by configured authentication and security policies. An attacker cannot inspect or tamper with sessions of regular users, and there is no impact on the integrity and availability of the gateway, portal or VPN server.

A straightforward way of addressing the flaw before updates are installed is by enabling the ‘Validate Identity Provider Certificate’ option in the SAML Identity Provider Server Profile. However, some third-party vendor integrations require the ‘validate identity provider certificate’ option be disabled during the set up process.

Palo Alto Networks said the authentication bypass in SAML authentication vulnerability was discovered and reported by Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University in Melbourne, Australia.