Red alert: Palo Alto firewall authentication bypass flaw ripe for exploitation

US government agency warns of fresh Palo Alto VPN security flaw		
	Zack Whittaker

		1 day

Palo Alto Networks says that there is now no indication of the vulnerability being under active attack.

A newly discovered critical authentication bypass flaw in Palo Alto firewalls and VPNs is ripe for exploitation by nation-state attackers, US Cyber Command warns.

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML [Security Assertion Markup Language] is in use".

The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.

The bug, indexed as CVE-2020-2021, is a 10-out-of-10 critical vulnerability which exists in the way how the PAN-OS software implements SAML.

US Cyber Command warned that Palo Alto Networks, a US firewall provider used by more than 70,000 companies around the world, had found a bug in its technology that put log-in apps created to make workers more secure at risk. But the flaw could, under certain conditions, let an attacker take control of one of these devices without needing a password, granting them access to the rest of the network.

That means not all PAN-OS appliances are vulnerable to attacks by default as the settings for SAML and "Validate Identity Provider Certificate" are not in the vulnerable configuration by default. An unauthenticated attacker with network access could exploit this flaw to obtain sensitive information, the U.S. Cybersecurity and Infrastructure Security Agency said. There isn't now any evidence of hackers actively exploiting this vulnerability, according to Palo Alto Networks. They include: PAN-OS next generation firewalls and Panorama web interfaces; GlobalProtect Gateway; GlobalProtect Portal; GlobalProtect Clientless VPN; Authentication and Captive Portal; and Prisma Access. "The most ideal target, in this case, is Palo Alto Networks' GlobalProtect VPN", it warns in a blog post. An attacker can not inspect or tamper with sessions of regular users, and there is no impact on the integrity and availability of the gateway, portal or VPN server.

USA cyber officials are urging American companies and individuals who rely on a popular security product to update their systems immediately, before foreign hackers can exploit a flaw in the technology to steal protected information. Moreover, enabling the "Validate Identity Provider Certificate" option in the SAML Identity Provider Server Profile will prevent hackers from exploiting the bug.



Other news