A critical advisory was released by Palo Alto Networks for PAN-OS. PAN OS is the software that runs all Palo Alto Networks next-generation firewalls.
Advisory Link: https://security.paloaltonetworks.com/CVE-2020-2021
Authentication Bypass vulnerability was found in SAML(Security Assertion Markup Language) Authentication. An unauthenticated network-based attacker can access protected resources due to improper verification of signatures in PAN-OS SAML authentication.
SAML SSO works by transferring the user’s identity from one place (identity provider) to another (service provider). This is done through an exchange of digitally signed XML documents.
Prerequisites for the exploit:
1.Security Assertion Markup Language (SAML) authentication should be enabled.
2.Validate Identity Provider Certificate should be disabled.
Resources that uses SAML-based single sign-on (SSO) authentication are:
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Authentication and Captive Portal
- PAN-OS next generation firewalls (PA,VM-Series) and Panorama web interfaces
- Prisma Access
- PAN-OS 7.1 is not affected
- All versions of PAN-OS 8.0 (EOL)
- PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
- PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
- PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
Many Security researchers as well as US Cyber Command have warned that attackers can take advantage of this vulnerability so patches should be applied as soon as possible .
Customers are recommended to apply the patched versions. Patched Versions includes PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.
- Make sure that SAML authentication is disabled.
- Apply both steps mentioned below:
- Identity Provider Certificate should be configured
- If the Identity Provider (IdP) certificate is Certificate Authority (CA) signed certificate, then make sure that the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile.
Qualys Policy Compliance customers can also evaluate workarounds based on following Controls:
1. For detecting whether SAML authentication is enabled or not on user accounts:
- Qualys Control ID :17947 “Status of Authentication Profile and Authentication type set for all users”
2. For detecting “Identity Provider Certificate” is configured and “Validate Identity Provider Certificate” option is enabled:
- Qualys Control ID: 18776 “Status of the ‘Validate Identity Provider Certificate’ setting sets in all SAML Identity Provider profiles”
For knowing that the system(s) might have been compromised, check on following logs is advisable:
- Authentication Logs
- User-ID Logs
- ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature)
- Custom Reports (Monitor > Report)
- GlobalProtectLogs (PAN-OS 9.1.0 and above)
Qualys customers can scan their network with QID(s)#13820 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.
References and Sources: