Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/30/2020
05:35 PM
50%
50%

Attackers Will Target Critical PAN-OS Flaw, Security Experts Warn

After Palo Alto Networks alerted users to a simple-to-exploit vulnerability in its network security gear, security agencies quickly warn that attackers won't wait to jump on it.

Popular networking and edge security equipment produced by Palo Alto Networks has a critical security flaw that could easily be exploited by unauthenticated attackers to gain access to otherwise protected resources, the company said in an advisory published on Monday.

The vulnerability (CVE-2020-2021) — which occurs in PAN-OS, the operating system for Palo Alto Networks' security appliance—allows attackers who have access to a server protected with authentication using the Security Assertion Markup Language (SAML) to bypass the security and gain access to the network servers and devices protected by the hardware. Security experts quickly issued warnings for companies to patch the issue, which rated the highest severity rating — 10 out of 10 on the Common Vulnerability Scoring System (CVSS). 

The vulnerability merited an alert from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) that encouraged network administrators to review the advisory and apply the recommended updates, along with a stern warning from the Department of Defense's US Cyber Command (USCYBERCOM).

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," the USCYBERCOM stated in its own cybersecurity alert posted to Twitter. "Foreign APTs will likely attempt [to] exploit soon," using the acronym for advanced persistent threat actors — a term used to refer to nation-states and some sophisticated cybercriminals groups.

The vulnerability's disclosure comes during a traditionally slow week, when US workers and their companies prepare for the Independence Day holiday, during which many IT teams may put off major patches. Some 69,000 Internet-connected devices have been found that run PAN-OS, more than 41% of which are in the United States, according to an analysis by vulnerability-management firm Rapid7.

Yet security researchers warn that the flaw allows attackers to bypass the outer perimeter of network security and are quite confident that attackers are working on producing an exploit. Companies likely have 24 to 48 hours before a proof-of-concept emerges, says Bob Rudis, chief data scientist at Rapid7.

"[Attackers] are still figuring out the exploit, and once that happens we are going to see this explode," he says, adding that easy network exploits have a fairly typical progression. "Once there is an exploit, we are going to see more scanning for finding any vulnerable endpoints, and then they will stop scanning as they figure out how they are going to attack."

The Security Assertion Markup Language (SAML) is a standard way of passing authentication information from an identity provider to a service that requires authorization. Users typically log into the identity provider and then uses the SAML certificate as their token to gain access to other services that trust that identity provider. Setting up SAML is common for companies that deploy single sign-on (SSO), especially if they have multifactor authentication required for the initial login. 

Palo Alto Network customers that have deployed GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls, Panorama web interfaces, or Prisma Access systems could all be vulnerable to the issue if their SAML identity provider profile allows a signed SAML message but does not validate the identity provider's certificate.

While Palo Alto Networks recommends that customers always validate the identity provider's certificate, third-party identity providers often recommend to uncheck the setting that enforces the validation because certificate management can be difficult for many companies. The vulnerable setting may affect 30% to 45% of installations, according to an estimate by Rapid7's Rudis.

"It is important to note that Palo Alto strongly discourages disabling identity provider certificate validation in its setup documentation," Rudis wrote in the company's advisory.

Others agree that the validation check of the identity provider's certificate is frequently turned off. 

"This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification and using SAML to interface with back-end authorization services," said Bryan Skene, chief technology officer of network-security provider Tempered, in a statement sent to Dark Reading. "Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely."

Palo Alto may also not be alone in its vulnerability. Security researchers believe the issue could be in common component used to parse or handle SAML certificates, which could mean that other products are also vulnerable. Open source dependencies are a common reason that a large number of applications are found vulnerable.

"While this particular advisory is specific to PAN-OS, it's likely that other vendors' SAML implementations are vulnerable to similar issues," Rudis stated in the analysis. "Developers and the broader security community would be well-advised to ensure that code with implications for SAML is reviewed thoroughly, since the severity of vulnerabilities affecting authentication mechanisms is inherently high."

Palo Alto Networks thanked Salman Khan and Cameron Duck from the security team at Monash University in Melbourne, Australia, for finding the vulnerability.

"As soon as we became aware of the reported vulnerability, we initiated an internal investigation, quickly issued a fix, and focused on helping our customers upgrade before the security advisory published," the company said. "Palo Alto Networks remains available around the clock to support our customers through this process. We thank the researchers for alerting us to this issue." 

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 10:52:58 PM
Standard Patching
This is why a standard patching process is pivotal and that includes networking gear. Comprehensively, any device that is exploitable internally can act as a gateway to critical functions.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4396
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4410
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539.
CVE-2020-4459
PUBLISHED: 2020-08-04
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395.
CVE-2020-4525
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4542
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 1...