Popular networking and edge security equipment produced by Palo Alto Networks has a critical security flaw that could easily be exploited by unauthenticated attackers to gain access to otherwise protected resources, the company said in an advisory published on Monday.
The vulnerability (CVE-2020-2021) — which occurs in PAN-OS, the operating system for Palo Alto Networks’ security appliance—allows attackers who have access to a server protected with authentication using the Security Assertion Markup Language (SAML) to bypass the security and gain access to the network servers and devices protected by the hardware. Security experts quickly issued warnings for companies to patch the issue, which rated the highest severity rating — 10 out of 10 on the Common Vulnerability Scoring System (CVSS).
The vulnerability merited an alert from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) that encouraged network administrators to review the advisory and apply the recommended updates, along with a stern warning from the Department of Defense’s US Cyber Command (USCYBERCOM).
“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” the USCYBERCOM stated in its own cybersecurity alert posted to Twitter. “Foreign APTs will likely attempt [to] exploit soon,” using the acronym for advanced persistent threat actors — a term used to refer to nation-states and some sophisticated cybercriminals groups.
The vulnerability’s disclosure comes during a traditionally slow week, when US workers and their companies prepare for the Independence Day holiday, during which many IT teams may put off major patches. Some 69,000 Internet-connected devices have been found that run PAN-OS, more than 41% of which are in the United States, according to an analysis by vulnerability-management firm Rapid7.
Yet security researchers warn that the flaw allows attackers to bypass the outer perimeter of network security and are quite confident that attackers are working on producing an exploit. Companies likely have 24 to 48 hours before a proof-of-concept emerges, says Bob Rudis, chief data scientist at Rapid7.
“[Attackers] are still figuring out the exploit, and once that happens we are going to see this explode,” he says, adding that easy network exploits have a fairly typical progression. “Once there is an exploit, we are going to see more scanning for finding any vulnerable endpoints, and then they will stop scanning as they figure out how they are going to attack.”
The Security Assertion Markup Language (SAML) is a standard way of passing authentication information from an identity provider to a service that requires authorization. Users typically log into the identity provider and then uses the SAML certificate as their token to gain access to other services that trust that identity provider. Setting up SAML is common for companies that deploy single sign-on (SSO), especially if they have multifactor authentication required for the initial login.
Palo Alto Network customers that have deployed GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls, Panorama web interfaces, or Prisma Access systems could all be vulnerable to the issue if their SAML identity provider profile allows a signed SAML message but does not validate the identity provider’s certificate.
While Palo Alto Networks recommends that customers always validate the identity provider’s certificate, third-party identity providers often recommend to uncheck the setting that enforces the validation because certificate management can be difficult for many companies. The vulnerable setting may affect 30% to 45% of installations, according to an estimate by Rapid7’s Rudis.
“It is important to note that Palo Alto strongly discourages disabling identity provider certificate validation in its setup documentation,” Rudis wrote in the company’s advisory.
Others agree that the validation check of the identity provider’s certificate is frequently turned off.
“This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification and using SAML to interface with back-end authorization services,” said Bryan Skene, chief technology officer of network-security provider Tempered, in a statement sent to Dark Reading. “Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely.”
Palo Alto may also not be alone in its vulnerability. Security researchers believe the issue could be in common component used to parse or handle SAML certificates, which could mean that other products are also vulnerable. Open source dependencies are a common reason that a large number of applications are found vulnerable.
“While this particular advisory is specific to PAN-OS, it’s likely that other vendors’ SAML implementations are vulnerable to similar issues,” Rudis stated in the analysis. “Developers and the broader security community would be well-advised to ensure that code with implications for SAML is reviewed thoroughly, since the severity of vulnerabilities affecting authentication mechanisms is inherently high.”
Palo Alto Networks thanked Salman Khan and Cameron Duck from the security team at Monash University in Melbourne, Australia, for finding the vulnerability.
“As soon as we became aware of the reported vulnerability, we initiated an internal investigation, quickly issued a fix, and focused on helping our customers upgrade before the security advisory published,” the company said. “Palo Alto Networks remains available around the clock to support our customers through this process. We thank the researchers for alerting us to this issue.”
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio