Overview of the SAML authentication vulnerability on PAN-OS devices
On Monday, June 29, 2020, Palo Alto released details on CVE-2020-20201, a new, critical weakness in SAML authentication on PAN-OS devices. This vulnerability impacts: PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
All versions of PAN-OS 8.0 (EOL)
However, it does not affect PAN-OS 7.1.
As of this post, there are no known proof-of-concept exploits available.
Rapid7 recommends patching your PAN-OS devices regardless of whether organizations are exposing this specific configuration, but sites that do have their PAN-OS devices configured this way should patch immediately.
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (think Okta, Duo, etc.) to pass authorization credentials to service providers. In other words, you can use one set of credentials to access many different websites or, in this case, devices.
If SAML is enabled on affected PAN-OS versions and the “Validate Identity Provider Certificate'” option is disabled, then remote attackers can use this discovered weakness to bypass authentication and access resources on the protected side of the network. It is important to note that Palo Alto strongly discourages disabling identity provider certificate validation in its setup documentation.
Attackers require network access to take advantage of this weakness, which means users of Palo Alto’s Global Protect VPN are susceptible to this vulnerability if configured with SAML authentication and identity provider certificate validation is disabled.
Exposure analysis of CVE-2020-2021
Organizations using
Support the originator by clicking the read the rest link below.