Foreign hackers backed by a well-resourced government are likely to attempt exploiting a critical vulnerability in a host and VPN and firewall products sold by Palo Alto Networks, officials in the US federal government warned on Tuesday.
In worst-case scenarios, the security vendor said in a post, the flaw allows unauthorized people to log in to networks as administrators. With those privileges, attackers could install software of their choice or carry out other malicious actions that have serious consequences. The vulnerability, tracked as CVE-2020-2021, can be exploited when an authentication mechanism known as Security Assertion Markup Language is used to validate that users gave the proper permission to access a network. Attackers must also have Internet access to an affected server.
Shortly after Palo Alto Networks issued the advisory, the official Twitter account for the US Cybersecurity and Infrastructure Security Agency warned that the vulnerability is likely to be exploited in the wild by APTs, short for advanced persistent threats. APT is the term many researchers use for sophisticated hacker groups that attempt to breach select targets of interest over extended periods of time.
“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” the agency warned on Twitter. “Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.”
The vulnerability can be exploited only when authentication is enabled and the validate identity provider certificate option is disabled. In that case, the affected Palo Networks products fail to properly verify signatures. The failure is the result of flaws in PAN-OS SAML. Vulnerable releases are PAN-OS 9.1, PAN-OS 9.0 earlier then 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0. PAN-OS 7.1 is unaffected.
The devices normally require admins to supply a password and a second factor of authentication such as a temporary password generated on the fly. The vulnerabilities allow attackers to bypass this requirement so that they gain the same access and control. Palo Alto Networks’ advisory read:
In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
The company issued a knowledge-base article that explains how to check for vulnerable configurations and, if found, specific actions required to fix them. The fixes are available in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.
To check if a vulnerable firewall uses SAML authentication, admins can inspect Device > Server Profiles > SAML Identity Provider. For Palo Alto Networks’ Panorama administrator, admins should see the configuration under Panorama > Server Profiles > SAML Identity Provider. Checking whether SAML authentication is turned on for firewalls managed by Panorama involves inspecting Device > [template] >Server Profiles > SAML Identity Provider. Any unauthorized access will be documented in system logs.
CISA’s alarm stems from the vulnerability carrying a maximum score on the CSSv3 severity scale of 10. Researchers reserve the score for vulnerabilities that are easy to exploit and require a relatively little amount of hacking savvy. The high score is also used when stakes are high—such as in cases where core security can be bypassed and where attacks can be remotely carried out, i.e., over the Internet.
When updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the “Identity Provider Certificate” before upgrading to ensure that users of the device can continue to authenticate successfully, according to Palo Alto.
Palo Alto Networks said it has no evidence the flaw is being actively exploited. Still, Tuesday’s advisory explaining the basics of the flaw, combined with the assessment in-the-wild exploits are likely to follow, means admins have a limited Window of opportunity to secure their systems.