US Cyber Command warns organisations of critical vulnerability in Palo Alto Networks products

Foreign APTs will likely attempt to exploit the bug soon, it says

The US Cyber Command has issued an alert advising American organisations to immediately patch a critical vulnerability in Palo Alto Network's (PAN) firewall and corporate VPN products, which could enable remote hackers to bypass authentication and take full control of vulnerable systems.

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML [Security Assertion Markup Language] is in use. Foreign APTs [Advanced Persistent Threat groups] will likely attempt exploit soon," the US Cyber Command said on Monday.

https://twitter.com/CNMF\\_CyberAlert/status/1277674547542659074?ref\\_src=twsrc%5Etfw

The bug, indexed as CVE-2020-2021, is a 10-out-of-10 critical vulnerability which exists in the way how the PAN-OS software implements SAML.

On Monday, the company released security updates to fix the bug, as well as detailed workarounds to mitigate the risk.

According to PAN security advisory, CVE-2020-2021 could enable remote attackers to run arbitrary code on a vulnerable system without requiring a password, and then fully take control of the system. After that, hackers can leverage their presence to gain access to the rest of the network.

PAN said that the issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; and all versions of PAN-OS 8.0 (EOL).

PAN appliances susceptible to this flaw are those that allow for SAML-based single sign-on. They include: PAN-OS next gen firewalls and Panorama web interfaces; GlobalProtect Portal; GlobalProtect Gateway; Authentication and Captive Portal; GlobalProtect Clientless VPN; and Prisma Access.

Hackers cannot exploit the bug if SAML is not used for authentication, the company said. Moreover, enabling the 'Validate Identity Provider Certificate' option in the SAML Identity Provider Server Profile will prevent hackers from exploiting the bug.

That means not all PAN-OS appliances are vulnerable to attacks by default as the settings for SAML and 'Validate Identity Provider Certificate' are not in the vulnerable configuration by default. They need to be manually changed by users to be set in that vulnerable configuration.

According to PAN, there is no evidence so far to suggest that hackers have been actively exploiting the bug.