Critical Security Bug May Allow Attackers to Bypass Firewalls And Corporate VPN Products

The US Cyber Command has warned that some foreign state-sponsored hacking groups may attempt to exploit a recently identified bug in some enterprise security products to breach corporate networks.

A major security threat

The critical security bug has been identified in the PAN-OS, the operating system used in firewall and VPN appliances by Palo Alto Networks.
  • It was found that due to the improper verification of signatures, hackers may be able to exploit the Security Assertion Markup Language (SAML) authentication of the PAN-OS, and may gain access to “protected resources” within a network.
  • The bug, tracked as CVE-2020-2021, is a rare security issue and has received a score of 10 out of 10 on the CVSSv3 scale, which reflects that it is technically easy to exploit, and also can be exploited remotely via the internet.
  • The bug can be exploited only in a specific configuration when the 'Validate Identity Provider Certificate' option is disabled and SAML (Security Assertion Markup Language) is enabled. Unfortunately, this configuration is used by several authentication solutions from Centrify, Trusona, or Okta, which increases the risks of its exploitation.

Other recent threats

In recent months, several other vulnerabilities have been identified in PAN-OS.
  • In February, a vulnerability (tracked as CVE-2020-1975) was identified in the PAN-OS v8.1.11 and v9.0.5, which could allow a malicious user to inject arbitrary XML on the affected system.
  • In December last year, a critical vulnerability (CVE-2019-17440) was identified in the PAN-OS 9.0.0 to 9.0.5, which could allow a malicious user to execute arbitrary codes to compromise the targeted system.

Solution

To prevent the exploitation of CVE-2020-2021, users should ensure that the signing certificate for the SAML Identity Provider is configured as the 'Identity Provider Certificate' before upgrading to the fixed version (PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3).