-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.2232.2
   PAN-OS: Authentication Bypass in SAML Authentication (CVE-2020-2021)
                                1 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PAN-OS
Publisher:         Palo Alto
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-2021  

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2020-2021

Revision History:  July  1 2020: Republishing with Alert flag
                   June 30 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

047910
Severity 10 . CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope CHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON     
Published 2020-06-29
Updated 2020-06-29
Reference PAN-148988
Discovered externally

Description

When Security Assertion Markup Language (SAML) authentication is enabled and
the 'Validate Identity Provider Certificate' option is disabled (unchecked),
improper verification of signatures in PAN-OS SAML authentication enables an
unauthenticated network-based attacker to access protected resources. The
attacker must have network access to the vulnerable server to exploit this
vulnerability.

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0
versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS
8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS
7.1.

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the 'Validate Identity Provider Certificate'
option is enabled (checked) in the SAML Identity Provider Server Profile.

Resources that can be protected by SAML-based single sign-on (SSO)
authentication are:

GlobalProtect Gateway,
GlobalProtect Portal,
GlobalProtect Clientless VPN,
Authentication and Captive Portal,
PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web
interfaces,
Prisma Access

In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN,
Captive Portal, and Prisma Access, an unauthenticated attacker with network
access to the affected servers can gain access to protected resources if
allowed by configured authentication and Security policies. There is no impact
on the integrity and availability of the gateway, portal, or VPN server. An
attacker cannot inspect or tamper with sessions of regular users. In the worst
case, this is a critical severity vulnerability with a CVSS Base Score of 10.0
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

In the case of PAN-OS and Panorama web interfaces, this issue allows an
unauthenticated attacker with network access to the PAN-OS or Panorama web
interfaces to log in as an administrator and perform administrative actions. In
the worst-case scenario, this is a critical severity vulnerability with a CVSS
Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web
interfaces are only accessible to a restricted management network, then the
issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/
C:H/I:H/A:H).

Palo Alto Networks is not aware of any malicious attempts to exploit this
vulnerability.

Product Status

PAN-OS

Versions Affected Unaffected
9.1      < 9.1.3  >= 9.1.3
9.0      < 9.0.9  >= 9.0.9
8.1      < 8.1.15 >= 8.1.15
8.0      8.0.*
7.1               7.1.*

Required Configuration for Exposure

This issue is applicable only where SAML authentication is enabled and the
'Validate Identity Provider Certificate' option is disabled (unchecked) in the
SAML Identity Provider Server Profile.

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the 'Validate Identity Provider Certificate'
option is enabled in the SAML Identity Provider Server Profile.

Detailed descriptions of how to check for the configuration required for
exposure and mitigate them are listed in the knowledge base article https://
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.

To check whether SAML authentication is enabled on a firewall, see the
configuration under Device > Server Profiles > SAML Identity Provider.

To check whether SAML authentication is enabled for Panorama administrator
authentication, see the configuration under Panorama> Server Profiles > SAML
Identity Provider

To check whether SAML authentication is enabled for firewalls managed by
Panorama, see the configuration under Device > [template]> Server Profiles >
SAML Identity Provider.

Any unauthorized access is logged in the system logs based on the
configuration; however, it can be difficult to distinguish between valid and
malicious logins or sessions.

Severity: CRITICAL

CVSSv3.1 Base Score: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Weakness Type

CWE-347 Improper Verification of Cryptographic Signature

Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later
versions.

Important: Ensure that the signing certificate for your SAML Identity Provider
is configured as the 'Identity Provider Certificate' before you upgrade to a
fixed version to ensure that your users can continue to authenticate
successfully. Configuring the 'Identity Provider Certificate' is an essential
part of a secure SAML authentication configuration. https://
docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/
configure-saml-authentication

Details of all actions required before and after upgrading PAN-OS are available
in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=
kA14u0000008UXK.

To eliminate unauthorized sessions on GlobalProtect portals and gateways,
Prisma Access managed through Panorama, change the certificate used to encrypt
and decrypt the Authentication Override cookie on the GlobalProtect portal and
gateways using the Panorama or firewall web interface. Refer to this article
for configuring Authentication override cookies: https://
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy

Restarting firewalls and Panorama eliminates any unauthorized sessions on the
web interface.

To clear any unauthorized user sessions in Captive Portal take the following
steps:

Run the following command

show user ip-user-mapping all type SSO

For all the IPs returned, run these two commands to clear the users:

clear user-cache-mp <above ips>
clear user-cache <above ips>

PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by
our Product Security Assurance policies.

All Prisma Access services have been upgraded to resolve this issue and are no
longer vulnerable. Prisma Access customers do not require any changes to SAML
or IdP configurations.

Workarounds and Mitigations

Using a different authentication method and disabling SAML authentication will
completely mitigate the issue.

Until an upgrade can be performed, applying both these mitigations (a) and (b)
eliminates the configuration required for exposure to this vulnerability:

(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring
the 'Identity Provider Certificate' is an essential part of a secure SAML
authentication configuration.

(b) If the identity provider (IdP) certificate is a certificate authority (CA)
signed certificate, then ensure that the 'Validate Identity Provider
Certificate' option is enabled in the SAML Identity Provider Server Profile.
Many popular IdPs generate self-signed IdP certificates by default and the
'Validate Identity Provider Certificate' option cannot be enabled. Additional
steps may be required to use a certificate signed by a CA. This certificate can
be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA.
Instructions to configure a CA-issued certificate on IdPs are available at
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.

Upgrading to a fixed version of PAN-OS software prevents any future
configuration changes related to SAML that inadvertently expose protected
services to attacks.

Acknowledgments

Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team
and Cameron Duck from the Identity Services Team at Monash University for
discovering and reporting this issue.

Frequently Asked Questions

Q. Are there any indicators of compromise or breach due to this vulnerability?

    Any unauthorized access is logged in the system logs based on the
    configuration; however, it can be difficult to distinguish between valid
    and malicious logins or sessions. Any unusual usernames or source IP
    addresses in the logs are indicators of a compromise.

Q. Is this a remote code execution (RCE)?

    No. This is not a remote code execution vulnerability.

Q. Has this been exploited in the wild?

    No evidence of active exploitation has been identified as of this time.

Q. What logs should be examined for clues of a compromise?

    Authentication Logs

    User-ID Logs

    ACC Network Activity Source/Destination Regions (Leveraging the Global
    Filter feature)

    Custom Reports (Monitor > Report)

    GlobalProtect Logs (PAN-OS 9.1.0 and above)

Timeline

2020-06-29 Initial publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXvvHXuNLKJtyKPYoAQj3Bg//cF69GTtyA8Zi9oYCigG9e7+bYxT650mv
UZVWF8eGQ32duXPJve1qL/CAqTdICGxy81WDHAs0Ry8Nd5ePLOGqe73q9AFVxJfx
ohunjMaA31MLt6ENQFGxWPhkRfOylVigg1j6YGb8lFPu9nKbp3Xy5xH6LFz8umMz
+Uzgt1UMj9/oh+F4sfCe5YnZnme5DB5GRjbNedWYi17OUTWdICJU3vXPLE9JT6Xs
lE3H7BvBXN0dmbMW8cIYsJJfzArW1YYmjK1uyKZD/HrZf9Sg4LmnUAdRO1FNrtKO
fPRqcDpP2pcznYnGWy8m1xBIC68MGvCDvrOnzHpLCiRHXgb2bZJkO3PB4TNrVcBC
horkXK4dJkAgQ6Zxgp6JqeaTps/+1zkM/LDkJIc/zWp0UcxECP2k+49Ld/M7/K8R
i6bbAP4FvZXjHJUmN00rKv1pxI1ZS5nt0Kia/7m5lJfOmKqt84kqMLeR3tc4u+e2
mIuuA9MWrWuA5k6ELP3YcIweQ4FdVELCgRosBBrzS0PHHuEBvC9oQkh3C7HLyqdd
VEnFuzRqxhTbpO/ItfcEKHqv5f9MSH8lVq1Hop7E8NsPckhb0N+AoYLTfSac5wBg
3Zego/4TGZbUb8YqapmGZLxX/RShw+pQmUHHEH+5g5IMMhATp2NibAit4xMxLN7z
do7OmaHvoOI=
=95un
-----END PGP SIGNATURE-----