On June 29th, 2020 Palo Alto released a security advisory on the CVE-2020-2021 vulnerability affecting various PAN-OS versions. This vulnerability allows an unauthenticated attacker access to protected resources by taking advantage of improper verification of signatures in PAN-OS SAML authentication.
Successful exploitation of this vulnerability against PAN-OS and Panorama web interfaces could allow an unauthenticated attacker to perform administrative actions.
Neither the Masergy Threat Intelligence team nor the security team at Palo Alto is currently aware of any proof-of-concepts being publicly available or active exploitation in-the-wild. We assess that it is likely sophisticated actors will pursue the weaponization of these exploits. The Masergy Threat Intelligence team will continue to monitor the situation as it develops.
- CVE-2020-2021 – When using Security Assertion Markup Language (SAML) authentication with ‘Validate Identity Provider Certificate’ disabled, an improper verification of signatures occurs in the PAN-OS SAML authentication enabling an unauthenticated network-based attacker to access protected resources.
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Authentication and Captive Portal
- PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
- Prisma Access
- PAN-OS Versions < 9.13
- PAN-OS Versions < 9.0.0
- PAN-OS Versions < 8.1.15
- PAN-OS Versions < 8.0.*
We recommend the following actions be taken:
- Update your PAN-OS to a version unaffected by CVE-2020-2021 after appropriate testing.
- Perform additional steps outlined by Palo Alto in their ‘Solution’ portion of their advisory to ensure any unauthorized users are removed.
- If updating is not possible, perform the steps provided by Palo Alto in their ‘Workarounds and Mitigations’ portion of their advisory.