Palo Alto Network (PAN) has recently fixed a critical vulnerability, related to the PAN-OS operating systems. The operating systems are known to power Palo Alto’s next-generation firewall. The vulnerability is tracked as CVE-2020-2021 with a CVSSv3 base score of 10. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) uses in their next-generation firewalls.
PAN has also uncovered a critical OS command injection vulnerability in the GlobalProtect portal which is tracked as CVE-2020-2034 with a CVSSv3 base score of 8.1.
CVE-2020-2021|Authentication Bypass Vulnerability in SAML in PAN-OS:
- An authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication exists in PAN-OS. The flaw exists when Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled. Thus, leading to improper verification of signatures in PAN-OS SAML authentication.
- Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to obtain access to “protected resources” within a network. However, the attacker must have network access to the vulnerable server to exploit this vulnerability. The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN.
PAN-OS devices might be configured to use SAML authentication with single sign-on (SSO) for access management. The resources that utilize SAML SSO as potentially affected by this vulnerability are:
GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication, and Captive Portal and PAN-OS next-gen firewalls like PA-Series, VM-Series, Panorama Web Interfaces, Prisma Access.
CVE-2020-2034|OS command execution in Palo Alto PAN-OS GlobalProtect portal:
- An os command injection vulnerability exists in the PAN-OS GlobalProtect portal. The flaw exists due to improper input validation in the PAN-OS GlobalProtect portal. A remote unauthenticated network-based attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.
- An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.
- For exploitation of the vulnerability, an attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit.
- Successful exploitation of this vulnerability may result in a complete compromise of the vulnerable system.
Attackers either require some level of firewall configuration information or a brute force method to exploit the issue. This vulnerability cannot be exploited if the GlobalProtect portal feature is not enabled.
Palo Alto Networks might not be aware of the attacks in the wild for some of these vulnerabilities.
The exploitation of these vulnerabilities could allow remote attackers to take full control over the affected system and obtain sensitive information.
PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
All versions of PAN-OS 8.0 and PAN-OS 7.1
We strongly recommend installing security updates without any delay.