Alert: Patch CVE-2020-2021 (in Palo Alto Networks products)

[German]Warning about the SAML vulnerability CVE-2020-2021 in various devices from the vendor Palo Alto and similar products. It can be assumed that the vulnerability will soon be exploited by cyber criminals to penetrate networks.


CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

The vulnerability CVE-2020-2021 (Authentication Bypass in SAML Authentication) exists in various Palo Alto Networks (PAN) products in their PAN-OS operating system. If SAML authentication (Security Assertion Markup Language) is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper signature verification during PAN-OS SAML authentication allows an unauthenticated network-based attacker to access protected resources.

The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue cannot be exploited if SAML is not used for authentication. This issue affects PAN-OS 9.1 versions prior to PAN-OS 9.1.3; PAN-OS 9.0 versions prior to PAN-OS 9.0.9; PAN-OS 8.1 versions prior to PAN-OS 8.1.15 and all versions of PAN-OS 8.0 (EOL). This problem does not affect PAN-OS 7.1.

Affected systems

Resources that can be protected by SAML-based Single Sign-On (SSO) authentication are, according to Palo Alto Networks:

GlobalProtect Gateway,
GlobalProtect Portal,
GlobalProtect Clientless VPN,
Authentication and Captive Portal,
PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,
Prisma Access

In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies.


There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log on as administrator and perform administrative actions.

  • The worst case scenario is a vulnerability of critical severity with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

    If the web interfaces are only accessible to a restricted management network, the vulnerability is reduced to a CVSS base score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Palo Alto Networks has no known malicious attempts to exploit this vulnerability.

Alarm from security researchers

I came across the following tweet a few hours ago where it is strongly recommended that administrators patch their devices to close the vulnerability.

Security researchers assume that the vulnerability will soon be exploited by cyber criminals to access internal networks

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *