The US government has warned of a critical flaw in Palo Alto Networks equipment that could enable attackers to take over its devices with minimal skill.
The warning, issued by US Cyber Command, urged people to patch all devices affected by the vulnerability immediately. It said that foreign advanced persistent threat actors will attempt to exploit it soon.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
As a user of these products, US Cyber Command would have reason to worry about foreign nation-states targeting its networks and those of its partners. It is one of eleven unified commands at the US Department of Defense, and oversees the US military’s cyberspace operations.
The vulnerability, CVE-2020-2021, concerns the authentication process in PAN-OS, which is the operating system driving Palo Alto firewalls. When authentication using the Security Assertion Markup Language (SAML) is enabled and the ‘Validate Identity Provider Certificate’ option is unchecked, the system doesn’t verify signatures properly, enabling someone to gain unauthenticated access to protected resources over a network.
Although it has a severity of 10—the highest possible—this is not a remote code execution vulnerability. It would, however, allow an unauthenticated attacker with network access to web interfaces to log into its firewalls as administrator. The bug affects its PA and VM series next-generation firewalls, the company said in the vulnerability announcement.
This attack could be particularly damaging to customers now because they rely heavily on firewall and VPN access to serve employees working remotely during the COVID-19 pandemic.
The security hardware vendor said that it is not aware of any malicious attempts to exploit the vulnerability thus far.
Administrators can patch the vulnerability today by upgrading to new versions of the software. It has patched versions 8.0, 8.1, 9.0, and 9.1 with point releases to fix the problem. Alternatively, they can simply disable SAML authentication to eliminate the issue until they get the chance to fix it with a point upgrade, meaning that they would have to switch to another form of authentication.
This advisory comes almost exactly a year after Palo Alto announced a remote code execution flaw in its GlobalProtect Portal and Gateway interface products. That vulnerability, rated High with a CVSS score of 8.1, allowed attackers to execute arbitrary code without authentication. In April 2019, CMU-CERT also warned that the company’s VPN software was storing cookies insecurely in log files.