Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability

Critical authentication bypass vulnerability in PAN-OS devices could be exploited in certain configurations, which are commonly recommended by identity providers.

Update July 2, 2020: The Recommended Configuration and Solution sections were updated to reflect new information from the team credited with discovering this vulnerability.

Background

On June 29, Palo Alto Networks published an advisory for a critical vulnerability in PAN-OS. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) uses in their next-generation firewalls.

Analysis

CVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in PAN-OS. The vulnerability was given a CVSSv3.1 score of 10.0 by Palo Alto Networks. According to their advisory, the flaw exists due to “improper verification of signatures.” An unauthenticated, remote attacker could exploit the vulnerability to obtain access to “protected resources” within a network. The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN.

PAN-OS devices may be configured to use SAML authentication with single sign-on (SSO) for access management. Palo Alto Networks lists the following resources that use SAML SSO as potentially affected by this vulnerability:

Vulnerability Prerequisites

The advisory specifies that this vulnerability could be exploited when the following conditions are met:

Prerequisite #1: SAML authentication required.

As implied in the vulnerability description, a device must be configured to use SAML authentication in order to be vulnerable. If the device is not configured to use SAML authentication, it is not vulnerable.

Prerequisite #2: “Validate Identity Provider Certificate” must be disabled.

Under the SAML Identity Provider Server Profile configuration section, the “Validate Identity Provider Certificate” option needs to be disabled (unchecked) in order for the device to be vulnerable.

Recommended Configurations from Notable Providers

While these prerequisites may seem uncommon, it appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration on devices running PAN-OS. These providers include:

To reiterate, the guidance in the documentation above is only applicable to PAN-OS devices, and inadvertently makes those devices vulnerable to CVE-2020-2021 when following this guidance.

SSL VPN Flaws: A History Lesson

In 2019, several notable SSL virtual private network (VPN) flaws were disclosed by researchers, including a critical pre-authentication vulnerability in Palo Alto Networks' GlobalProtect. Several other SSL VPN flaws were disclosed, including the following:

CVE Product Exploited Blogs
CVE-2019-1579 Palo Alto Networks GlobalProtect Yes 1
CVE-2019-11510 Pulse Connect Secure Yes 1, 2, 3
CVE-2018-13379 Fortinet FortiGate SSL VPN Yes 1
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Yes 1, 2, 3

Cybercriminals capitalized on the availability of proof-of-concept (PoC) exploit code for the vulnerabilities and have utilized them in a variety of attacks, from nation-state threats to a rash of ransomware attacks. These flaws have remained popular in 2020, as the Cybersecurity Infrastructure Security Agency lists a few of these flaws as being “routinely exploited by sophisticated foreign cyber actors.”

Several notable security researchers as well as the United States Cyber Command have warned that CVE-2020-2021 will likely be leveraged by attackers in the near future.

Proof of concept

At the time this blog post was published, there was no working PoC code available for this vulnerability. However, we expect a PoC will become available in the near future.

Solution

Palo Alto Networks has released patches for PAN-OS 8.x and 9.0.x and 9.1.x. PAN-OS 7.1 is not affected by this vulnerability. The following table lists the PAN-OS affected and fixed versions.

PAN-OS Version Vulnerable Affected Versions Fixed Versions
7.1 No - -
8.0.x Yes 8.0.0 and greater -
8.1.x Yes 8.1.15 and lesser 8.1.15 and greater
9.0.x Yes 9.0.9 and lesser 9.0.9 and greater
9.1.x Yes 9.1.3 and lesser 9.1.3 and greater

Tenable strongly encourages patching your PAN-OS devices whether or not your devices have the specific prerequisites required for exploitation.

If upgrading is not feasible at this time, Palo Alto Networks provides mitigation options. The quickest solution would be to disable SAML authentication altogether and switch to a different authentication method.

Until upgrading is feasible, additional mitigation options from the Palo Alto advisory include:

  1. If available, use a certificate from an identity provider (IdP) that is signed by a certificate authority (CA)
  2. Enable the “Validate Identity Provider Certificate” option

Ryan Newington, whose team discovered CVE-2020-2021, published a Twitter thread on June 30 clarifying some confusion around the vulnerability and the use of the “Validate Identity Provider Certificate” option.


Image Source: Twitter Thread from Ryan Newington on CVE-2020-2021 (Note: The tweet incorrectly labels the CVE as CVE-2020-2012)

SAML specification only requires validation of the public and private keys contained within the certificate, and states that the signing of the certificate be provided out-of-band. This means that the certificate is explicitly trusted by the service provider and no third party validated certificate is required.

The issue stems from vulnerable code in the PAN-OS digital signature validation not in the configuration guidance from vendors. However, their guidance inadvertently makes the PAN-OS devices vulnerable to CVE-2020-2021.

The recommendation to enable “Validate Identity Provider Certificate” option will prevent the self signed certificate from ever reaching the vulnerable code. Please note that having this option turned off is not the source of the vulnerability, but allows self-signed certificates to reach the vulnerable code.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Because the vulnerability is configuration dependent, our plugins will detect potentially vulnerable hosts that would then need to be manually confirmed to be vulnerable based on the specific deployment scenarios. With the design of this plugin, users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.

We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

Enabling Paranoid Mode

To enable this setting for Nessus and Tenable.io users:

  1. Click Assessment > General > Accuracy
  2. Enable the “Show potential false alarms” option

To enable this setting for Tenable.sc (formerly SecurityCenter) users:

  1. Click Assessment > Accuracy
  2. Click the drop-down box and select “Paranoid (more false alarms)”

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.