Critical Vulnerabilities in Palo Alto Networks PAN-OS devices

Palo Alto Network (PAN) has recently fixed a critical vulnerability related to the PAN-OS operating systems. The operating systems are known to power Palo Alto’s next-generation firewall. The vulnerability is tracked as CVE-2020-2021 with a CVSSv3 base score of 10. PAN-OS is the custom operating system (OS) that Palo Alto Networks (PAN) uses in their next-generation firewalls. A Vulnerability Management Software can prevent these attacks.

PAN has also uncovered a critical OS command injection vulnerability in the GlobalProtect portal, tracked as CVE-2020-2034, with a CVSSv3 base score of 8.1. A good vulnerability management tool can solve these issues.

CVE-2020-2021|Authentication Bypass Vulnerability in SAML in PAN-OS:

• An authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication exists in PAN-OS. The flaw exists when Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled. Thus, leading to improper verification of signatures in PAN-OS SAML authentication.
• Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to obtain access to “protected resources” within a network. However, the attacker must have network access to the vulnerable server to exploit this vulnerability. In this case, the ideal target is Palo Alto Networks GlobalProtect VPN.

PAN-OS devices might be of configuration to use SAML authentication with single sign-on (SSO) for access management. The resources that utilize SAML SSO as potentially affected by this vulnerability are:
GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication, and Captive Portal, and PAN-OS next-gen firewalls like PA-Series, VM-Series, Panorama Web Interfaces, and Prisma Access.

• An os command injection vulnerability exists in the PAN-OS GlobalProtect portal. The flaw exists due to improper input validation in the PAN-OS GlobalProtect portal. A remote unauthenticated network-based attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.
• An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.
• To exploit the CVE-2020-2034 vulnerability, an attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit it.
• Successful exploitation of this vulnerability may result in a complete compromise of the vulnerable system.

Attackers either require some level of firewall configuration information or a brute force method to exploit the issue. This vulnerability is not in exploitation if the GlobalProtect portal feature is not present.

Palo Alto Networks might not be aware of the attacks in the wild for some of these vulnerabilities.

Impact

The exploitation of these vulnerabilities could allow remote attackers to take full control of the affected system and obtain sensitive information.

Affected Products

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
All versions of PAN-OS 8.0 and PAN-OS 7.1

Solution

Palo Alto Networks has published a security advisory addressing CVE-2020-2021 and CVE-2020-2034.

We strongly recommend installing security updates without any delay.