Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability

Critical authentication bypass vulnerability in PAN-OS devices could be exploited in certain configurations, which are commonly recommended by identity providers.

Update July 2, 2020: The Recommended Configuration and Solution sections were updated to reflect new information from the team credited with discovering this vulnerability.

Background

On June 29, Palo Alto Networks published an advisory for a critical vulnerability in PAN-OS. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) uses in their next-generation firewalls.

Analysis

CVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in PAN-OS. The vulnerability was given a CVSSv3.1 score of 10.0 by Palo Alto Networks. According to their advisory, the flaw exists due to “improper verification of signatures.” An unauthenticated, remote attacker could exploit the vulnerability to obtain access to “protected resources” within a network. The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN.

PAN-OS devices may be configured to use SAML authentication with single sign-on (SSO) for access management. Palo Alto Networks lists the following resources that use SAML SSO as potentially affected by this vulnerability:

Vulnerability Prerequisites

The advisory specifies that this vulnerability could be exploited when the following conditions are met:

Prerequisite #1: SAML authentication required.

As implied in the vulnerability description, a device must be configured to use SAML authentication in order to be vulnerable. If the device is not configured to use SAML authentication, it is not vulnerable.

Prerequisite #2: “Validate Identity Provider Certificate” must be disabled.

Under the SAML Identity Provider Server Profile configuration section, the “Validate Identity Provider Certificate” option needs to be disabled (unchecked) in order for the device to be vulnerable.

Recommended Configurations from Notable Providers

While these prerequisites may seem uncommon, it appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration on devices running PAN-OS. These providers include:

To reiterate, the guidance in the documentation above is only applicable to PAN-OS devices, and inadvertently makes those devices vulnerable to CVE-2020-2021 when following this guidance.

SSL VPN Flaws: A History Lesson

In 2019, several notable SSL virtual private network (VPN) flaws were disclosed by researchers, including a critical pre-authentication vulnerability in Palo Alto Networks' GlobalProtect. Several other SSL VPN flaws were disclosed, including the following:

CVE Product Exploited Blogs
CVE-2019-1579 Palo Alto Networks GlobalProtect Yes 1
CVE-2019-11510 Pulse Connect Secure Yes 1, 2, 3
CVE-2018-13379 Fortinet FortiGate SSL VPN Yes 1
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Yes 1, 2, 3

Cybercriminals capitalized on the availability of proof-of-concept (PoC) exploit code for the vulnerabilities and have utilized them in a variety of attacks, from nation-state threats to a rash of ransomware attacks. These flaws have remained popular in 2020, as the Cybersecurity Infrastructure Security Agency lists a few of these flaws as being “routinely exploited by sophisticated foreign cyber actors.”

Several notable security researchers as well as the United States Cyber Command have warned that CVE-2020-2021 will likely be leveraged by attackers in the near future.

Proof of concept

At the time this blog post was published, there was no working PoC code available for this vulnerability. However, we expect a PoC will become available in the near future.

Solution

Palo Alto Networks has released patches for PAN-OS 8.x and 9.0.x and 9.1.x. PAN-OS 7.1 is not affected by this vulnerability. The following table lists the PAN-OS affected and fixed versions.

PAN-OS Version Vulnerable Affected Versions Fixed Versions
7.1 No - -
8.0.x Yes 8.0.0 and greater -
8.1.x Yes 8.1.15 and lesser 8.1.15 and greater
9.0.x Yes 9.0.9 and lesser 9.0.9 and greater
9.1.x Yes 9.1.3 and lesser 9.1.3 and greater

Tenable strongly encourages patching your PAN-OS devices whether or not your devices have the specific prerequisites required for exploitation.

If upgrading is not feasible at this time, Palo Alto Networks provides mitigation options. The quickest solution would be to disable SAML authentication altogether and switch to a different authentication method.

Until upgrading is feasible, additional mitigation options from the Palo Alto advisory include:

  1. If available, use a certificate from an identity provider (IdP) that is signed by a certificate authority (CA)
  2. Enable the “Validate Identity Provider Certificate” option

Ryan Newington, whose team discovered CVE-2020-2021, published a Twitter thread on June 30 clarifying some confusion around the vulnerability and the use of the “Validate Identity Provider Certificate” option.


Image Source: Twitter Thread from Ryan Newington on CVE-2020-2021 (Note: The tweet incorrectly labels the CVE as CVE-2020-2012)

SAML specification only requires validation of the public and private keys contained within the certificate, and states that the signing of the certificate be provided out-of-band. This means that the certificate is explicitly trusted by the service provider and no third party validated certificate is required.

The issue stems from vulnerable code in the PAN-OS digital signature validation not in the configuration guidance from vendors. However, their guidance inadvertently makes the PAN-OS devices vulnerable to CVE-2020-2021.

The recommendation to enable “Validate Identity Provider Certificate” option will prevent the self signed certificate from ever reaching the vulnerable code. Please note that having this option turned off is not the source of the vulnerability, but allows self-signed certificates to reach the vulnerable code.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Because the vulnerability is configuration dependent, our plugins will detect potentially vulnerable hosts that would then need to be manually confirmed to be vulnerable based on the specific deployment scenarios. With the design of this plugin, users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.

We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

Enabling Paranoid Mode

To enable this setting for Nessus and Tenable.io users:

  1. Click Assessment > General > Accuracy
  2. Enable the “Show potential false alarms” option

To enable this setting for Tenable.sc (formerly SecurityCenter) users:

  1. Click Assessment > Accuracy
  2. Click the drop-down box and select “Paranoid (more false alarms)”

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.