Hackers primed to exploit CVSS 10-rated flaw in Palo Alto's PAN-OS
The SAML-based authentication flaw in the firm’s networking services allows an attacker to gain access to assets
US Cyber Command has urged Palo Alto customers to their patch PAN-OS networking systems before cyber criminals have the opportunity to exploit a highly critical authentication vulnerability.
Assigned a rare CVSS score of 10/10, the flaw dubbed CVE-2020-2021 can allow an attacker to bypass authentication procedures and access a device without needing to provide credentials.
The vulnerability is triggered when the Security Assertion Markup Language (SAML) is enabled and the ‘validate identity provider certificate’ option is disabled. This causes the improper verification of signatures in PAN-OS, allowing an attacker with network access to the vulnerable server to access protected resources.
“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” US Cyber Command has tweeted. “Foreign APTs will likely attempt exploit soon. We appreciate Palo Alto Networks’ proactive response to this vulnerability.”
PAN-OS is the software that runs all Palo Alto firewalls, offering customers complete visibility and control of the apps in use by all users in all locations across an enterprise network.
The flaw, which has been fixed, affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0, which has reached end-of-life.
Moreover, the flaw can only be exploited if SAML is in use for authentication. Elements of PAN-OS overseen by SAML-based authentication include virtual private network (VPN), GlobalProtect Gateways, GlobalProtect Portal, Captive Portal and Prisma Access.
Vulnerabilities assigned a 10/10 rating on the CVSS scale are rare, and normally mean the exploit is highly exploitable, easy to trigger, and require little or no additional privileges and user interaction.
RELATED RESOURCE
Putting a spotlight on cyber security
An examination of the current cyber security landscape
Nevertheless, the company has not yet seen evidence of active exploitation in the wild, despite warnings from US Cyber Command of imminent attempts by foreign APTs.
Palo Alto has urged customers to ensure the signing certificate for their SAML Identity Provider is configured as the ‘Identity Provider Certificate’ before they upgrade to a fixed version of PAN-OS.
As short-term mitigation, restarting firewalls and the Panorama web interface eliminates any unauthorised sessions on the web interface.
For evidence of a compromise, the company has urged customers to examine Authentication Logs, User-ID Logs, ACC NEtwork Activity Source/Destination Regions, Customers Reports, and GlobalProtect Logs in PAN-OS 9.1.0 and above.
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
