TrustedSec - CVE-2020-2021: PAN-OS SAML Security Bypass

On June 29, 2020, Palo Alto released information on a Security Assertion Markup Language (SAML) authentication bypass CVE-2020-2021. Palo Alto published the advisory PAN-148988 for a critical issue affecting multiple versions of PAN-OS.

An Overview of the Vulnerability

Description:

With network access to a device running a vulnerable version of PAN-OS and configured to use Security Assertion Markup Language (SAML) authentication, an unauthenticated remote attacker can abuse improper verification of SAML signatures to bypass authentication and subsequently gain access to resources that otherwise would have been protected. While multiple Palo Alto devices are impacted by CVE-2020-2021, vulnerable edge devices such as GlobalProtect VPNs are at the highest risk for exploitation.

Prerequisites for exploitation:

To exploit CVE-2020-2021, the PAN-OS device in question must be configured with the following options.

1. SAML Authentication Enabled

SAML authentication may be enabled in environments where SAML single sign-on is used to simplify authentication to multiple applications through an integration with an Identity Provider (IdP).

2. The “Validate Identity Provider Certificate” Option Disabled

While Palo Alto requires the use of HTTPS certificates to ensure confidentiality of SAML assertions, it also includes the capability to bypass the validation of IdP certificates. In it’s documentation for the configuration of SAML authentication with PAN-OS 8.1, Palo Alto recommends that the option “Validate Identity Provider Certificate” be enabled “to ensure it (the certificate) hasn’t been compromised.” However, (similar to what was pointed out by @FrankMcG on Twitter) in their walkthrough for configuring MFA between Duo and a PAN-OS device, Palo Alto describes disabling the very same option.

A number of SAML providers also include disabling “Validate Identity Provider Certificate” in their deployment guides.

Figure 1 – Palo Alto’s Documentation for “Configure MFA Between Duo and the Firewall”
Figure 2 – Duo’s Palo Alto SAML Documentation
Figure 3 – Okta Palo Alto SAML Documentation
Figure 4 – Microsoft Palo Alto SAML Documentation

US Cyber Command is also urging timely patching based on the severity of this exposure: https://www.us-cert.gov/ncas/current-activity/2020/06/29/palo-alto-releases-security-updates-pan-os

Additionally, a quick search of Shodan shows a number of potential GlobalProtect installations.

Figure 5 – Potential Global Protect Installs on Shodan

MITIGATION

Upgrade the current version of PAN-OS.

If SAML is currently in use, organizations should follow the recommended remediation guidelines:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK

Figure 6 – Vulnerability Flow Diagram From Palo Alto

PROOF OF CONCEPT

Currently, there is no proof of concept or example code.

DEFENSIVE MONITORING

To verify that an organization’s Palo Alto appliance has been compromised, the following logs should be reviewed for Indicators of Compromise (IoCs). Organizations should look for abnormal usernames and source IP addresses that do not conform with known-good activity.

  • Authentication Logs
  • User-ID Logs
  • ACC Network Activity Source\Destination Regions (Leveraging the Global Filter feature)
  • Custom Reports
  • Global Protection Logs

CONCLUSION

Currently, there is no evidence that this vulnerability has been exploited in the wild. However, the vulnerability has the potential to be a great threat to those who deploy Palo Alto equipment for remote access. TrustedSec clients should deploy the patch as soon as possible.

THE AFFECTED PAN-OS VERSIONS:

Version Vulnerable Not Vulnerable
9.1 < 9.1.3 >= 9.1.3
9.0 < 9.0.9 >= 9.0.9
8.1 < 8.1.15  
8.0 8.0.*  
7.1   7.1.*

Source: https://security.paloaltonetworks.com/CVE-2020-2021

SUPPORTING LINKS:

https://security.paloaltonetworks.com/CVE-2020-2021

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2021

https://www.us-cert.gov/ncas/current-activity/2020/06/29/palo-alto-releases-security-updates-pan-os

The post CVE-2020-2021: PAN-OS SAML Security Bypass appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/cve-2020-2021-pan-os-saml-security-bypass/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more