Critical authentication bypass vulnerability in PAN-OS devices could be exploited in certain configurations, which are commonly recommended by identity providers.
Update July 2, 2020: The Recommended Configuration and Solution sections were updated to reflect new information from the team credited with discovering this vulnerability.
On June 29, Palo Alto Networks published an advisory for a critical vulnerability in PAN-OS. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) uses in their next-generation firewalls.
CVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in PAN-OS. The vulnerability was given a CVSSv3.1 score of 10.0 by Palo Alto Networks. According to their advisory, the flaw exists due to “improper verification of signatures.” An unauthenticated, remote attacker could exploit the vulnerability to obtain access to “protected resources” within a network. The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN.
If you use Palo-Alto firewalls with SAML -- particularly with GlobalProtect VPN -- you probably want to urgently patch this.— Kevin Beaumont (@GossiTheDog) June 29, 2020
Also researchers should probably avoid disclosing details publicly for a window to give orgs time to mitigate.https://t.co/vh18ZgsurC
PAN-OS devices may be configured to use SAML authentication with single sign-on (SSO) for access management. Palo Alto Networks lists the following resources that use SAML SSO as potentially affected by this vulnerability:
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Authentication and Captive Portal
- PAN-OS next-gen firewalls including:
The advisory specifies that this vulnerability could be exploited when the following conditions are met:
Prerequisite #1: SAML authentication required.
As implied in the vulnerability description, a device must be configured to use SAML authentication in order to be vulnerable. If the device is not configured to use SAML authentication, it is not vulnerable.
Prerequisite #2: “Validate Identity Provider Certificate” must be disabled.
Under the SAML Identity Provider Server Profile configuration section, the “Validate Identity Provider Certificate” option needs to be disabled (unchecked) in order for the device to be vulnerable.
Recommended Configurations from Notable Providers
While these prerequisites may seem uncommon, it appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration on devices running PAN-OS. These providers include:
- Okta [Image]
- SecureAuth [Image]
- SafeNet Trusted Access [Image]
- Duo [Image]
- Trusona via Azure AD [Image]
- Azure AD [Image]
- Centrify [Image]
To reiterate, the guidance in the documentation above is only applicable to PAN-OS devices, and inadvertently makes those devices vulnerable to CVE-2020-2021 when following this guidance.
SSL VPN Flaws: A History Lesson
In 2019, several notable SSL virtual private network (VPN) flaws were disclosed by researchers, including a critical pre-authentication vulnerability in Palo Alto Networks' GlobalProtect. Several other SSL VPN flaws were disclosed, including the following:
|CVE-2019-1579||Palo Alto Networks GlobalProtect||Yes||1|
|CVE-2019-11510||Pulse Connect Secure||Yes||1, 2, 3|
|CVE-2018-13379||Fortinet FortiGate SSL VPN||Yes||1|
|CVE-2019-19781||Citrix Application Delivery Controller and Gateway||Yes||1, 2, 3|
Cybercriminals capitalized on the availability of proof-of-concept (PoC) exploit code for the vulnerabilities and have utilized them in a variety of attacks, from nation-state threats to a rash of ransomware attacks. These flaws have remained popular in 2020, as the Cybersecurity Infrastructure Security Agency lists a few of these flaws as being “routinely exploited by sophisticated foreign cyber actors.”
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
Proof of concept
At the time this blog post was published, there was no working PoC code available for this vulnerability. However, we expect a PoC will become available in the near future.
Palo Alto Networks has released patches for PAN-OS 8.x and 9.0.x and 9.1.x. PAN-OS 7.1 is not affected by this vulnerability. The following table lists the PAN-OS affected and fixed versions.
|PAN-OS Version||Vulnerable||Affected Versions||Fixed Versions|
|8.0.x||Yes||8.0.0 and greater||-|
|8.1.x||Yes||8.1.15 and lesser||8.1.15 and greater|
|9.0.x||Yes||9.0.9 and lesser||9.0.9 and greater|
|9.1.x||Yes||9.1.3 and lesser||9.1.3 and greater|
Tenable strongly encourages patching your PAN-OS devices whether or not your devices have the specific prerequisites required for exploitation.
If upgrading is not feasible at this time, Palo Alto Networks provides mitigation options. The quickest solution would be to disable SAML authentication altogether and switch to a different authentication method.
Until upgrading is feasible, additional mitigation options from the Palo Alto advisory include:
- If available, use a certificate from an identity provider (IdP) that is signed by a certificate authority (CA)
- Enable the “Validate Identity Provider Certificate” option
Ryan Newington, whose team discovered CVE-2020-2021, published a Twitter thread on June 30 clarifying some confusion around the vulnerability and the use of the “Validate Identity Provider Certificate” option.
Image Source: Twitter Thread from Ryan Newington on CVE-2020-2021 (Note: The tweet incorrectly labels the CVE as CVE-2020-2012)
SAML specification only requires validation of the public and private keys contained within the certificate, and states that the signing of the certificate be provided out-of-band. This means that the certificate is explicitly trusted by the service provider and no third party validated certificate is required.
The issue stems from vulnerable code in the PAN-OS digital signature validation not in the configuration guidance from vendors. However, their guidance inadvertently makes the PAN-OS devices vulnerable to CVE-2020-2021.
The recommendation to enable “Validate Identity Provider Certificate” option will prevent the self signed certificate from ever reaching the vulnerable code. Please note that having this option turned off is not the source of the vulnerability, but allows self-signed certificates to reach the vulnerable code.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Because the vulnerability is configuration dependent, our plugins will detect potentially vulnerable hosts that would then need to be manually confirmed to be vulnerable based on the specific deployment scenarios. With the design of this plugin, users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.
We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.
Enabling Paranoid Mode
To enable this setting for Nessus and Tenable.io users:
- Click Assessment > General > Accuracy
- Enable the “Show potential false alarms” option
To enable this setting for Tenable.sc (formerly SecurityCenter) users:
- Click Assessment > Accuracy
- Click the drop-down box and select “Paranoid (more false alarms)”
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.