Getty Images/iStockphoto

DHS CISA Urges Patch of Critical Palo Alto Pan-OS Vulnerability

Following an advisory from Palo Alto Networks, DHS CISA took to Twitter to urge enterprises to immediately patch a critical PAN-OS vulnerability given the likelihood of advanced persistent threats.

Palo Alto Networks released an advisory regarding a critical vulnerability found in its PAN-OS, which could allow a hacker to gain access to protected resources. In response, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency took to Twitter to urge an immediate patch. 

The CVE-2020-2021 flaw is found in the PAN-OS software running on Palo Alto devices that have the Security Markup Language (SAML) authentication enabled. The vulnerability affects all PAN-OS 9.1, 9.0, 8.1, and 8.0 versions. PAN-OS 7.1 versions are not impacted. 

When the Validate Identity Provider Certificate option is disabled, improper verification of PAN-OS SAML authentication signatures, allows an unauthenticated, network-based attacker to access protected resources. 

Fortunately, the hackers first must have network access to the vulnerable server to successfully exploit the vulnerability. And the vulnerability cannot be exploited if SAML is not used for authentication, nor if the Validate Identity Provider Certificate' option is enabled or checked in the SAML Identity Provider Server Profile. 

SAML-based single sign-on (SSO) authentication protects the resources of the GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access. 

“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and security policies,” researchers wrote. 

“There is no impact on the integrity and availability of the gateway, portal, or VPN server,” they added. “An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0.” 

For the PAN-OS and Panorama web interfaces, the flaw could allow an unauthenticated hacker with network access to log in as an administrator and perform administrative actions. The worst case-scenario is ranked as critical severity.  

If just the web interfaces are accessible to a restricted management network, the severity is lowered to a base score of 9.6 

So far, no malicious attempts to exploit the flaw have been detected. But according to DHS CISA, foreign advanced persistent threats will likely attempt to exploit this vulnerability soon and applauded Palo Alto’s proactive response. 

Palo Alto has also provided indicators of compromise in its advisory and noted the importance of ensuring “the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully.” 

“Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration,” researchers explained. “To eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface.” 

Meanwhile, restarting firewalls and Panorama will eliminate any unauthorized sessions on the web interface. Palo Alto recommended organizations use a different authentication method and disable SAML authentication to completely mitigate the issue. 

Organizations that can’t perform an immediate software upgrade will need to apply two mitigations to eliminate the configuration required to expose the flaw. First, administrators should ensure the Identity Provider Certificate is configured, which is an essential part of a secure SAML authentication configuration. 

Further, if the identity provider (IdP) certificate is a certificate authority signed certificate, administrators should ensure the Validate Identity Provider Certificate option is enable in the SAML Identity Provider Server Profile. 

“Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled,” researchers explained. “Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA.” 

Lastly, upgrading to a fixed PAN-OS software version will prevent any future configuration changes related to SAML. 

“Skipping certificate validation is a shortcut some will take to get a product working quickly. Sometimes the easy way comes at a high price in terms of cybersecurity,” Dor Segal, technology researcher at Silverfort, said in an emailed statement. 

“We highly recommend that developers take the time to perform certificate validation for every application on the network,” he added. “In addition, adding a multi-factor authentication layer will provide maximum security to your network.” 

Next Steps

Dig Deeper on Cybersecurity strategies