Monash Uni infosec staff find gaping security hole in Palo Alto Networks gear

By on
Monash Uni infosec staff find gaping security hole in Palo Alto Networks gear

Authentication bypass could be targeted by foreign adversaries.

Palo Alto Networks has issued patches for a critical authentication bypass in several of its enterprise security products that was reported to the security vendor by two Monash University infosec staff.

The flaw, discovered by cybersecurity systems analyst Salman Khan and systems engineer Cameron Duck at Monash University, rates 10 out of 10 on the Common Vulnerabilities Scoring System (CVSS) version 3, and is easy to exploit with no user interaction required.

"When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources," the security vendor wrote in its advisory.

Multiple versions of the Palo Alto's PAN-OS running on the company's firewall, gateway, virtual private networking and access products are affected by the flaw.

Upgrading to PAN-OS versions 8.1.15, 9.0.9 and 9.1.3 fixes the authentication bypass vulnerability.

The United States government cyber command advised users to patch all their Palo Alto Networks devices immediately, warning that overseas nation-state sponsored hackers would likely try to exploit the vulnerability.

If it's not possible to immediately patch against the vulnerability, Palo Alto Networks said configuring the SAML authentication with a Certificate Authority (CA) Identity Provider Certificate, along with enabling validation of the credential, can be used as a complete mitigation for the vulnerability.

If SAML is not used for authentication, the bypass bug can't be exploited, Palo Alto Networks said.

For now, the security vendor is not aware of any attempts at exploiting the vulnerability.

Attempts at exploiting the vulnerability can be logged by systems, but Palo Alto Networks said it can be difficult to distinguish between valid and malicious logins or sessions.

Unusual user names or source internet protocol addresses found in system logs are indicators of compromise, Palo Alto Networks warned.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?