Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:35 PM

Attackers Will Target Critical PAN-OS Flaw, Security Experts Warn

After Palo Alto Networks alerted users to a simple-to-exploit vulnerability in its network security gear, security agencies quickly warn that attackers won't wait to jump on it.

Popular networking and edge security equipment produced by Palo Alto Networks has a critical security flaw that could easily be exploited by unauthenticated attackers to gain access to otherwise protected resources, the company said in an advisory published on Monday.

The vulnerability (CVE-2020-2021) — which occurs in PAN-OS, the operating system for Palo Alto Networks' security appliance—allows attackers who have access to a server protected with authentication using the Security Assertion Markup Language (SAML) to bypass the security and gain access to the network servers and devices protected by the hardware. Security experts quickly issued warnings for companies to patch the issue, which rated the highest severity rating — 10 out of 10 on the Common Vulnerability Scoring System (CVSS). 

The vulnerability merited an alert from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) that encouraged network administrators to review the advisory and apply the recommended updates, along with a stern warning from the Department of Defense's US Cyber Command (USCYBERCOM).

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," the USCYBERCOM stated in its own cybersecurity alert posted to Twitter. "Foreign APTs will likely attempt [to] exploit soon," using the acronym for advanced persistent threat actors — a term used to refer to nation-states and some sophisticated cybercriminals groups.

The vulnerability's disclosure comes during a traditionally slow week, when US workers and their companies prepare for the Independence Day holiday, during which many IT teams may put off major patches. Some 69,000 Internet-connected devices have been found that run PAN-OS, more than 41% of which are in the United States, according to an analysis by vulnerability-management firm Rapid7.

Yet security researchers warn that the flaw allows attackers to bypass the outer perimeter of network security and are quite confident that attackers are working on producing an exploit. Companies likely have 24 to 48 hours before a proof-of-concept emerges, says Bob Rudis, chief data scientist at Rapid7.

"[Attackers] are still figuring out the exploit, and once that happens we are going to see this explode," he says, adding that easy network exploits have a fairly typical progression. "Once there is an exploit, we are going to see more scanning for finding any vulnerable endpoints, and then they will stop scanning as they figure out how they are going to attack."

The Security Assertion Markup Language (SAML) is a standard way of passing authentication information from an identity provider to a service that requires authorization. Users typically log into the identity provider and then uses the SAML certificate as their token to gain access to other services that trust that identity provider. Setting up SAML is common for companies that deploy single sign-on (SSO), especially if they have multifactor authentication required for the initial login. 

Palo Alto Network customers that have deployed GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls, Panorama web interfaces, or Prisma Access systems could all be vulnerable to the issue if their SAML identity provider profile allows a signed SAML message but does not validate the identity provider's certificate.

While Palo Alto Networks recommends that customers always validate the identity provider's certificate, third-party identity providers often recommend to uncheck the setting that enforces the validation because certificate management can be difficult for many companies. The vulnerable setting may affect 30% to 45% of installations, according to an estimate by Rapid7's Rudis.

"It is important to note that Palo Alto strongly discourages disabling identity provider certificate validation in its setup documentation," Rudis wrote in the company's advisory.

Others agree that the validation check of the identity provider's certificate is frequently turned off. 

"This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification and using SAML to interface with back-end authorization services," said Bryan Skene, chief technology officer of network-security provider Tempered, in a statement sent to Dark Reading. "Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely."

Palo Alto may also not be alone in its vulnerability. Security researchers believe the issue could be in common component used to parse or handle SAML certificates, which could mean that other products are also vulnerable. Open source dependencies are a common reason that a large number of applications are found vulnerable.

"While this particular advisory is specific to PAN-OS, it's likely that other vendors' SAML implementations are vulnerable to similar issues," Rudis stated in the analysis. "Developers and the broader security community would be well-advised to ensure that code with implications for SAML is reviewed thoroughly, since the severity of vulnerabilities affecting authentication mechanisms is inherently high."

Palo Alto Networks thanked Salman Khan and Cameron Duck from the security team at Monash University in Melbourne, Australia, for finding the vulnerability.

"As soon as we became aware of the reported vulnerability, we initiated an internal investigation, quickly issued a fix, and focused on helping our customers upgrade before the security advisory published," the company said. "Palo Alto Networks remains available around the clock to support our customers through this process. We thank the researchers for alerting us to this issue." 

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2020 | 10:52:58 PM
Standard Patching
This is why a standard patching process is pivotal and that includes networking gear. Comprehensively, any device that is exploitable internally can act as a gateway to critical functions.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...