Palo Alto Networks has issued patches for a critical authentication bypass in several of its enterprise security products that was reported to the security vendor by two Monash University infosec staff.
The flaw, discovered by cybersecurity systems analyst Salman Khan and systems engineer Cameron Duck at Monash University, rates 10 out of 10 on the Common Vulnerabilities Scoring System (CVSS) version 3, and is easy to exploit with no user interaction required.
"When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources," the security vendor wrote in its advisory.
Multiple versions of the Palo Alto's PAN-OS running on the company's firewall, gateway, virtual private networking and access products are affected by the flaw.
Upgrading to PAN-OS versions 8.1.15, 9.0.9 and 9.1.3 fixes the authentication bypass vulnerability.
The United States government cyber command advised users to patch all their Palo Alto Networks devices immediately, warning that overseas nation-state sponsored hackers would likely try to exploit the vulnerability.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
If it's not possible to immediately patch against the vulnerability, Palo Alto Networks said configuring the SAML authentication with a Certificate Authority (CA) Identity Provider Certificate, along with enabling validation of the credential, can be used as a complete mitigation for the vulnerability.
If SAML is not used for authentication, the bypass bug can't be exploited, Palo Alto Networks said.
For now, the security vendor is not aware of any attempts at exploiting the vulnerability.
Attempts at exploiting the vulnerability can be logged by systems, but Palo Alto Networks said it can be difficult to distinguish between valid and malicious logins or sessions.
Unusual user names or source internet protocol addresses found in system logs are indicators of compromise, Palo Alto Networks warned.