Palo Alto Networks revealed a major flaw discovered in the operating system (PAN-OS) of all its next-generation firewalls that could let unverified network-based hackers bypass verification.
The company’s website says that PAN‑OS is the software that runs all of its next-generation firewalls.
“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” the company’s security advisory reads.
While the ‘Validate Identity Provider Certificate’ option shouldn’t typically be disabled, this is the suggested choice in official deployment rules provided by Microsoft, Okta, Ping Identity, Duo, and SecureAuth, as discovered by Rapid7’s Bob Rudis.
“We have no specific Sonar study for GlobalProtect PAN-OS devices, but our combined generic studies discovered just over 69,000 nodes, 28,188 (40.6%) of which are in the U.S,” Rudis also said.
American Cyber Command also warned on Twitter that external APT groups will likely try to misuse Palo Alto firewalls not repaired against this flaw.
Tracked as CVE-2020-2021, the flaw has been regarded as critical severity with a CVSS 3.x base score of 10, and it could be abused by cybercriminals with network access to susceptible servers as part of low complexity attacks.
“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies,” Palo Alto Networks explains.
“There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users.
“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions.”
Customers who want to search for signs of compromise before applying extenuation measures or applying the patch are directed to scrutinize the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above).
The security advisory said that any rare usernames or source IP addresses found in these logs and reports are pointers of a compromise.
According to Palo Alto Networks, no malicious efforts to exploit the CVE-2020-2021 susceptibility were spotted until the security advisory was published.