US Cyber Command warns organisations of critical vulnerability in Palo Alto Networks products
Foreign APTs will likely attempt to exploit the bug soon, it says
The US Cyber Command has issued an alert advising American organisations to immediately patch a critical vulnerability in Palo Alto Network's (PAN) firewall and corporate VPN products, which could enable remote hackers to bypass authentication and take full control of vulnerable systems.
"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML [Security Assertion Markup Language] is in use. Foreign APTs [Advanced Persistent Threat groups] will likely attempt exploit soon," the US Cyber Command said on Monday.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks' proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
https://t.co/WwJdil5X0F
The bug, indexed as CVE-2020-2021, is a 10-out-of-10 critical vulnerability which exists in the way how the PAN-OS software implements SAML.
On Monday, the company released security updates to fix the bug, as well as detailed workarounds to mitigate the risk.
According to PAN security advisory, CVE-2020-2021 could enable remote attackers to run arbitrary code on a vulnerable system without requiring a password, and then fully take control of the system. After that, hackers can leverage their presence to gain access to the rest of the network.
PAN said that the issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; and all versions of PAN-OS 8.0 (EOL).
PAN appliances susceptible to this flaw are those that allow for SAML-based single sign-on. They include: PAN-OS next gen firewalls and Panorama web interfaces; GlobalProtect Portal; GlobalProtect Gateway; Authentication and Captive Portal; GlobalProtect Clientless VPN; and Prisma Access.
Hackers cannot exploit the bug if SAML is not used for authentication, the company said. Moreover, enabling the 'Validate Identity Provider Certificate' option in the SAML Identity Provider Server Profile will prevent hackers from exploiting the bug.
That means not all PAN-OS appliances are vulnerable to attacks by default as the settings for SAML and 'Validate Identity Provider Certificate' are not in the vulnerable configuration by default. They need to be manually changed by users to be set in that vulnerable configuration.
According to PAN, there is no evidence so far to suggest that hackers have been actively exploiting the bug.
More on Threats and Risks
Campaigners urge Johnson to reform Computer Misuse Act to make it fit for modern digital era
The law currently hinders cyber security research in Britain, campaigners argue in an open letter to the PM
'Ripple20' security vulnerabilities in TCP/IP software library impact millions of connected devices
Nineteen bugs have been discovered so far in Treck software affecting connected printers, insulin pumps, smart home devices, power-grid equipment, industrial-control gears, routers, communications equipment commercial aircraft and data centre devices...
One in three Britons targeted by scammers since the start of coronavirus crisis, Citizens Advice reveals
Legal charity has seen a 19 per cent spike in the number of visitors coming to its website in recent months looking for advice from experts
Earth Empusa threat group distributing Android 'ActionSpy' spyware to target minority group in Tibet and Turkey
ActionSpy supports numerous modules which enable hackers to collect confidential information from compromised devices, including device IMEI, user phone number and contacts
Gamaredon group using new tools to target Microsoft Outlook and Office, researchers warn
And they are making no efforts to stay under the radar
