Threat Advisory: Palo Alto PAN-OS Authentication Bypass in SAML Vulnerability

June 30, 2020

On June 29, 2020, Palo Alto Networks released a security advisory relating to a critical authentication bypass vulnerability within PAN-OS Security Assertion Markup Language (SAML) authentication.

Currently, the affected products include:

• GlobalProtect Gateway
• GlobalProtect Portal
• GlobalProtect Clientless VPN
• Authentication and Captive Portal
• PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
• Prisma Access

The vulnerability affects PAN-OS versions 9.1, 9.0, 8.1, and 8.0. However, it currently does not affect version 7.1.  It must be noted that PAN-OS 8.0 is beyond the support window and is considered end of life.

Versions	Affected	Unaffected
9.1	< 9.1.3	>= 9.1.3
9.0	< 9.0.9	>= 9.0.9
8.1	< 8.1.15	>= 8.1.15
8.0	8.0.*
7.1		7.1.*

 

When SAML authentication is enabled along with the "Validate Identity Provider Certificate" option disabled, the improper verification of signatures in PAN-OS SAML enables an unauthenticated network-based attacker to access protected resources. The attacker requires network access to the vulnerable server in order to exploit this vulnerability.

However, the vulnerability cannot be exploited if SAML is not used for authentication, or if the "Validate Identity Provider Certificate" option is enabled within the SAML Identity Provider Server Profile.

With regards to GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Captive Portal, and Prisma Access, the unauthenticated attacker would be able to gain access to protected resources if allowed by configured authentication and security policies. However, there is no impact to the integrity and availability of the affected gateway, portal, or VPN server, and the attacker cannot inspect or tamper with regular user sessions.

For PAN-OS next-gen firewalls and Panorama web interfaces, the unauthenticated attacker with network access would be able to log in as an administrator and perform administrative actions. Therefore, even if the web interface is segregated to a restricted management network, this vulnerability still receives a critical CVSS Base Score since the restricted management network can still be compromised by the attacker.

Organizations with impacted versions of PAN-OS should examine their authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above) for signs of compromise before any applying any of the following recommended mitigation strategies.

Any unusual usernames or source IP addresses found in these logs and reports can be considered indicators of a compromise and should be further investigated. 

Organizations using an SSO authentication tool aside from SAML currently remain unaffected by this vulnerability.

Mitigations for the SAML Vulnerability

Herjavec Group agrees with Palo Alto's recommended solution, which is to upgrade to the latest unaffected version of PAN-OS. If taking this course of action, organizations must ensure that the signing certificate for the SAML Identity Provider is configured as the "Identity Provider Certificate" before upgrading to a patched version to make sure users can authenticate successfully after the upgrade.

However, until an upgrade can be performed, it is recommended that organizations should:

• Ensure the "Identity Provider Certificate" is configured, and
• Ensure that the "Validate Identity Provider Certificate" option is enabled within the SAML Identity Provider Server Profile if the certificate is from a certificate authority

Lastly, organizations may also choose to implement a different authentication method along with disabling SAML authentication, which will mitigate the vulnerability completely.

Additional Resources

• Instructions related to identity provider configuration can be found here.
• SAML configuration check steps can be found here.

Herjavec Group Vulnerability Management clients can reference their latest reports for CVE-2020-2021. We are reviewing the most recent scan data and will escalate patches as required.

Herjavec Group is proactively ensuring that applicable signatures are up to date for our Managed Security Services Customers.  We are actively engaged with all technology product updates relating to CVE-2020-2021.

If your organization has been affected by the vulnerability, please contact us for Incident Response or compromise assessment support as needed. 

---

For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.