Palo Alto Networks has issued a Critical security advisory for PAN-OS authentication bypass in SAML authentication vulnerability CVE-2020-2021.
The vulnerability affects Palo Alto Networks firewalls PAN-OS configured to run Security Assertion Markup Language (SAML).
Palo Alto Networks describes the critical flaw in an advisory published on June 29:
“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.”
Palo Alto Networks
It is also important to note that the issue cannot be exploited if SAML is not used for authentication (e.g., uses Radius).
Palo Alto Networks also says that before you upgrade, make sure the signing certificate for your SAML Identity Provider is configured as the ‘Identity Provider Certificate.’ That way, your users can continue to authenticate successfully without issues.
The company also warns that “in the worst case,” the vulnerability has a CVSS Base Score of 10.0 and Critical severity.
The issue affects the following versions of PAN-OS:
- 9.1 versions earlier than 9.1.3
- 9.0 versions earlier than 9.0.9
- 8.1 versions earlier than 8.1.15
- All 8.0 versions (that is EOL).
However, the issue does not affect PAN-OS 7.1.