Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:35 PM

Attackers Will Target Critical PAN-OS Flaw, Security Experts Warn

After Palo Alto Networks alerted users to a simple-to-exploit vulnerability in its network security gear, security agencies quickly warn that attackers won't wait to jump on it.

Popular networking and edge security equipment produced by Palo Alto Networks has a critical security flaw that could easily be exploited by unauthenticated attackers to gain access to otherwise protected resources, the company said in an advisory published on Monday.

The vulnerability (CVE-2020-2021) — which occurs in PAN-OS, the operating system for Palo Alto Networks' security appliance—allows attackers who have access to a server protected with authentication using the Security Assertion Markup Language (SAML) to bypass the security and gain access to the network servers and devices protected by the hardware. Security experts quickly issued warnings for companies to patch the issue, which rated the highest severity rating — 10 out of 10 on the Common Vulnerability Scoring System (CVSS). 

The vulnerability merited an alert from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) that encouraged network administrators to review the advisory and apply the recommended updates, along with a stern warning from the Department of Defense's US Cyber Command (USCYBERCOM).

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," the USCYBERCOM stated in its own cybersecurity alert posted to Twitter. "Foreign APTs will likely attempt [to] exploit soon," using the acronym for advanced persistent threat actors — a term used to refer to nation-states and some sophisticated cybercriminals groups.

The vulnerability's disclosure comes during a traditionally slow week, when US workers and their companies prepare for the Independence Day holiday, during which many IT teams may put off major patches. Some 69,000 Internet-connected devices have been found that run PAN-OS, more than 41% of which are in the United States, according to an analysis by vulnerability-management firm Rapid7.

Yet security researchers warn that the flaw allows attackers to bypass the outer perimeter of network security and are quite confident that attackers are working on producing an exploit. Companies likely have 24 to 48 hours before a proof-of-concept emerges, says Bob Rudis, chief data scientist at Rapid7.

"[Attackers] are still figuring out the exploit, and once that happens we are going to see this explode," he says, adding that easy network exploits have a fairly typical progression. "Once there is an exploit, we are going to see more scanning for finding any vulnerable endpoints, and then they will stop scanning as they figure out how they are going to attack."

The Security Assertion Markup Language (SAML) is a standard way of passing authentication information from an identity provider to a service that requires authorization. Users typically log into the identity provider and then uses the SAML certificate as their token to gain access to other services that trust that identity provider. Setting up SAML is common for companies that deploy single sign-on (SSO), especially if they have multifactor authentication required for the initial login. 

Palo Alto Network customers that have deployed GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls, Panorama web interfaces, or Prisma Access systems could all be vulnerable to the issue if their SAML identity provider profile allows a signed SAML message but does not validate the identity provider's certificate.

While Palo Alto Networks recommends that customers always validate the identity provider's certificate, third-party identity providers often recommend to uncheck the setting that enforces the validation because certificate management can be difficult for many companies. The vulnerable setting may affect 30% to 45% of installations, according to an estimate by Rapid7's Rudis.

"It is important to note that Palo Alto strongly discourages disabling identity provider certificate validation in its setup documentation," Rudis wrote in the company's advisory.

Others agree that the validation check of the identity provider's certificate is frequently turned off. 

"This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification and using SAML to interface with back-end authorization services," said Bryan Skene, chief technology officer of network-security provider Tempered, in a statement sent to Dark Reading. "Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely."

Palo Alto may also not be alone in its vulnerability. Security researchers believe the issue could be in common component used to parse or handle SAML certificates, which could mean that other products are also vulnerable. Open source dependencies are a common reason that a large number of applications are found vulnerable.

"While this particular advisory is specific to PAN-OS, it's likely that other vendors' SAML implementations are vulnerable to similar issues," Rudis stated in the analysis. "Developers and the broader security community would be well-advised to ensure that code with implications for SAML is reviewed thoroughly, since the severity of vulnerabilities affecting authentication mechanisms is inherently high."

Palo Alto Networks thanked Salman Khan and Cameron Duck from the security team at Monash University in Melbourne, Australia, for finding the vulnerability.

"As soon as we became aware of the reported vulnerability, we initiated an internal investigation, quickly issued a fix, and focused on helping our customers upgrade before the security advisory published," the company said. "Palo Alto Networks remains available around the clock to support our customers through this process. We thank the researchers for alerting us to this issue." 

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2020 | 10:52:58 PM
Standard Patching
This is why a standard patching process is pivotal and that includes networking gear. Comprehensively, any device that is exploitable internally can act as a gateway to critical functions.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...