[German]Warning about the SAML vulnerability CVE-2020-2021 in various devices from the vendor Palo Alto and similar products. It can be assumed that the vulnerability will soon be exploited by cyber criminals to penetrate networks.
CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
The vulnerability CVE-2020-2021 (Authentication Bypass in SAML Authentication) exists in various Palo Alto Networks (PAN) products in their PAN-OS operating system. If SAML authentication (Security Assertion Markup Language) is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper signature verification during PAN-OS SAML authentication allows an unauthenticated network-based attacker to access protected resources.
The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue cannot be exploited if SAML is not used for authentication. This issue affects PAN-OS 9.1 versions prior to PAN-OS 9.1.3; PAN-OS 9.0 versions prior to PAN-OS 9.0.9; PAN-OS 8.1 versions prior to PAN-OS 8.1.15 and all versions of PAN-OS 8.0 (EOL). This problem does not affect PAN-OS 7.1.
Resources that can be protected by SAML-based Single Sign-On (SSO) authentication are, according to Palo Alto Networks:
GlobalProtect Clientless VPN,
Authentication and Captive Portal,
PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,
In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies.
There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log on as administrator and perform administrative actions.
- The worst case scenario is a vulnerability of critical severity with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
If the web interfaces are only accessible to a restricted management network, the vulnerability is reduced to a CVSS base score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Palo Alto Networks has no known malicious attempts to exploit this vulnerability.
Alarm from security researchers
I came across the following tweet a few hours ago where it is strongly recommended that administrators patch their devices to close the vulnerability.
Yes, part of the reason the Palo-Alto vulnerability is bad is disabling cert verification is common in enterprises, as is using SAML. https://t.co/W8BZ8JxtZu
— Kevin Beaumont (@GossiTheDog) June 29, 2020
Security researchers assume that the vulnerability will soon be exploited by cyber criminals to access internal networks