The purpose of this report is to provide vendor specific advisories and vulnerability information that may be relevant to the security of a device(s) deployed within your network environment. Along with information about the vulnerability related issues, Proficio will provide recommended actions to either resolve, mitigate or workaround the vulnerability as provided by the vendor.
Please let us know if you have any questions or concerns about the information below. If you are a current MSS customer, please let us know if you would like assistance with implementation. Submit a change request to email@example.com .
Date: 2020 June 29
CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.
GlobalProtect Clientless VPN,
Authentication and Captive Portal,
PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,
If SAML or SSO is configured; proceed to the recommendation section below.
This article will illustrate the actions to confirm the configuration is present.
This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.
This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.
If SAML or SSO is not configured, no action required. If SAML or SSO is configured, the proceed to the recommendation section below.
If SAML or SSO is configured, follow the directions below:
Using a different authentication method and disabling SAML authentication will completely mitigate the issue.
Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:
(a) Ensure that the ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML authentication configuration.
(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the ‘Validate Identity Provider Certificate’ option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.
Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.