Priority: Critical

Executive Summary:
Palo Alto Networks have released details of a critical vulnerability affecting PAN-OS, the operating system which runs on all Palo Alto next-generation firewalls [1]. The vulnerability, CVE-2020-2021, can allow attackers to bypass authentication, meaning an attacker can log into a server as an administrator. This means that a threat actor who is able to access a vulnerable Palo Alto firewall would be able to perform administrative actions, such as disabling firewall rules. The vulnerability only affects systems under certain configurations: specifically, systems which use Security Assertion Markup Language (SAML) for authentication and which have the ‘Validate Identity Provider Certificate’ option disabled in the SAML Identity Provider Server Profile. Systems which do not have this configuration should not be vulnerable. Palo Alto Networks have said that an attacker would need network access to the affected system in order to compromise it, however this means that any firewalls that connects to the internet would be remotely exploitable. They have also released patches for affected systems.

In a Tweet, the US Cyber Command have stated that devices should be patched ‘immediately’ as ‘foreign APTs will likely attempt [to] exploit soon’ [2]. Although Palo Alto stated in their security advisory that they are ‘not aware of any malicious attempts to exploit this vulnerability’, the statement from the US Cyber Command suggests that attacks are highly likely to be seen in the wild soon, if they have not been seen by other organisations already. ITC therefore strongly advises that any systems running PAN-OS should be updated to the most recent version as quickly as possible, to avoid risking becoming victim of an attack.

All affected PAN-OS versions which are using SAML authentication and which are not validating the identity provider certificate will be affected. See below for a list of affected products.

For ITC’s VI customers, the PAN-OS vulnerability will be detected through running scans, or through ad-hoc scans if required.

Affected Products:

The following PAN-OS versions are affected:

  • 9.1.2 and earlier
  • 9.0.8 and earlier
  • 8.1.14 and earlier
  • 8.0

(Version 7.1 does not appear to be affected)

Palo Alto Networks have released patches for their affected versions. Updating affected systems to the most up-to-date version will prevent systems from being exploitable against this vulnerability.

The vulnerability can be mitigated by not using SAML for authentication, or by ensuring that the identity provider certificate validation is enabled if SAML is being used for authentication.

Affected systems should be updated as soon as possible. Although the mitigations discussed previously can be used, updating the systems should be the safest approach, unless there is a reason that systems cannot be updated promptly.

Systems which are not using an affected configuration should still be updated at an organisation’s earliest convenience.

If you have the ITC Managed Firewall service, your devices have already been reviewed and where needed, emergency patches have been implemented.