www.belgium.be Logo of the federal government

Palo Alto Networks fixes a critical vulnerability for PAN-OS

Reference: 
Advisory #2020-021
Version: 
1.0
Affected software: 
PAN-OS 9.1 < 9.1.3
PAN-OS 9.0 < 9.0.9
PAN-OS 8.1 < 8.1.15
PNA-OS 8.0
Type: 
Authentication Bypass
CVE/CVSS: 

CVE-2020-2021 (CVSSv3: 10)

Sources

https://security.paloaltonetworks.com/CVE-2020-2021
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000...
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000...
https://nvd.nist.gov/vuln/detail/CVE-2020-2021
https://www.us-cert.gov/ncas/current-activity/2020/06/29/palo-alto-relea...

Risks

Palo Alto has released security updates for a critical vulnerability, CVE-2020-2021, affecting PAN-OS when Security Assertion Markup Language (SAML) is enabled. PAN-OS is a custom operating system (OS) that Palo Alto Network (PAN) uses in their next-generation firewalls.
An unauthenticated attacker with network access could exploit this vulnerability to obtain access to sensitive data.

Description

CVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in PAN-OS. This flaw exists due to “improper verification of signatures.”

This vulnerability affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.

However, this vulnerability is exploitable only if:

• The device is configured to use SAML authentication
• The Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile.

Please refer to the following links below with the details on how to check and apply the configurations required in order to mitigate the risk.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000...
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000...

Recommended Actions

CERT.be recommends to system administrators to apply patches for PAN-OS 8.15 and PAN-OS 9.0.9 PAN-OS 9.1.3, and later versions released by the vendor.