This threat report is about a newly discovered critical vulnerability in the Palo Alto PAN-OS. The threat has been named CVE-2020-2021 and was published on 06-29-20 by Palo Alto. CVE-2020-2021 is assigned the highest possible CVSS score of 10.
The issue lies within the configuration of SAML authentication and may allow malicious actors access to PAN-OS devices without authentication. Though no POC (proof-of-concept) code is currently available, an exploit of this vulnerability is to be expected in the near future.
Related Reading: We recently covered several critical Palo Alto firewall vulnerabilities and how to remediate them.
PAN-OS is affected by this vulnerability if SAML authentication is enabled and the “Validate Identity Provider Certificate” option is not enabled. Some Identity Providers (DUO, Okta, etc.) may have instructions to not enable the “Validate Identity Provider Certificate” due to using self-signed certificates. A bad actor may be able to exploit this misconfiguration to gain unauthorized access as an administrator. For a bad actor to exploit this vulnerability they must have internal network access to the device, or it must be publicly exposed on the internet.
This Palo Alto Pan-OS vulnerability affects the following resources and versions:
Palo Alto provides the below infographic for checking your systems:
The risk from this vulnerability can be fully avoided if SAML authentication is not enabled on your PAN-OS device. SAML authentication should be disabled by default. If you use SAML authentication, we recommend the patches be applied either directly through the device or through the Palo Alto support portal.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!