US Cyber Command warnedthat soon, government hack groups are likely to start exploiting the vulnerability CVE-2020-2021, discovered in PAN-OS, an operating system that runs on firewalls and corporate VPN devices manufactured by Palo Alto Networks.
The cause for concern is really serious: the CVE-2020-2021 vulnerability is one of those rare errors that get 10 out of 10 points on the CVSSv3 vulnerability rating scale. Such a score means that the vulnerability is easy to use, its operation does not require serious technical knowledge, and it can also be used remotely via the Internet, and attackers may not have any “fulcrum” on the target device.
From a technical point of view, the vulnerability is an authentication bypass and allows an outsider to gain access to the device without providing credentials. After successfully exploiting the problem, the attacker can change the PAN-OS settings. In fact, this can be used to disable access control policies in the company's firewalls and VPN solutions, after which the devices will become practically useless.
Palo Alto Networks specialists have already prepared their own security bulletin, where they say that for the successful operation of the problem it is necessary to observe a number of conditions. In particular, PAN-OS devices must have a specific configuration so that the error can be used. So, the option Validate Identity Provider Certificate should be disabled, and SAML (Security Assertion Markup Language) on the contrary enabled.
Devices that can be configured this way are vulnerable to attack. These include:
- GlobalProtect Gateway
- GlobalProtect Portal;
- GlobalProtect Clientless VPN;
- Authentication and Captive Portal;
- PAN-OS firewalls (PA and VM series) and Panorama web interfaces;
- Prisma Access Systems.
Fortunately, by default, the above settings are set to other values. However, CERT / CC expert Will Dorman warns that when using third-party identity providers in many PAN-OS operator guides, it is recommended that you configure this configuration. For example, when using authentication Duo or third-party solutions from Centrify, Trusona and Okta.
As a result, despite the fact that at first glance the vulnerability does not look too dangerous and requires certain conditions to be met, in fact, many devices are configured exactly as described above, especially due to the widespread use of Duo in the corporate and public sectors.
According to Troy Mursch, co-founder of Bad Packets, the current number of vulnerable systems is approximately 4,200.
“Of the 58,521 Palo Alto public servers (PAN-OS) scanned by Bad Packets, only 4,291 hosts use some kind of SAML authentication,” the expert writes and clarifies that a scan by his company helped determine if authentication using SAML, but you cannot find out the status of the Validate Identity Provider Certificate in this way.
Currently, information security experts are urging all owners of PAN-OS devices to immediately check the configurations of their devices and install patches released by Palo Alto Networks as soon as possible.