US Cyber Command: Foreign APTs Likely to Exploit New Palo Alto Networks Flaw

Palo Alto Networks revealed on Monday that it has patched a critical authentication bypass vulnerability in its PAN-OS firewall operating system, and U.S. Cyber Command believes foreign APTs will likely attempt to exploit it soon.


The vulnerability, tracked as CVE-2020-2021 with a CVSS score of 10, affects PAN-OS 8.0, 8.1, 9.0 and 9.1, and it has been patched with the release of versions 8.1.15, 9.0.9 and 9.1.3 — version 7.1 is not impacted.


“When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability,” Palo Alto Networks explained in an advisory.


In the case of Palo Alto Networks’ GlobalProtect (Gateway, Portal, Clientless VPN), Captive Portal, and Prisma Access products, an unauthenticated attacker who has network access to the targeted server can exploit the vulnerability to access protected resources. For PAN-OS and Panorama interfaces, an unauthenticated attacker on the network can log in as an admin.


CERT/CC analyst Will Dormann has pointed out that some identity service providers instruct customers to use the configuration required to exploit the vulnerability.


While Palo Alto Networks’ advisory says the company is not aware of malicious attempts to exploit CVE-2020-2021, USCYBERCOM warned on Twitter that “foreign APTs will likely attempt exploit soon.”



APT groups exploiting vulnerabilities in Palo Alto Networks products is not unheard of. Last year, a couple of researchers disclosed a series of serious