Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2232.2 PAN-OS: Authentication Bypass in SAML Authentication (CVE-2020-2021) 1 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Publisher: Palo Alto Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-2021 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2020-2021 Revision History: July 1 2020: Republishing with Alert flag June 30 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication 047910 Severity 10 . CRITICAL Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope CHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2020-06-29 Updated 2020-06-29 Reference PAN-148988 Discovered externally Description When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/ C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability. Product Status PAN-OS Versions Affected Unaffected 9.1 < 9.1.3 >= 9.1.3 9.0 < 9.0.9 >= 9.0.9 8.1 < 8.1.15 >= 8.1.15 8.0 8.0.* 7.1 7.1.* Required Configuration for Exposure This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Detailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. To check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider. To check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider To check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider. Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions. Severity: CRITICAL CVSSv3.1 Base Score: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Weakness Type CWE-347 Improper Verification of Cryptographic Signature Solution This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions. Important: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https:// docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/ configure-saml-authentication Details of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id= kA14u0000008UXK. To eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy Restarting firewalls and Panorama eliminates any unauthorized sessions on the web interface. To clear any unauthorized user sessions in Captive Portal take the following steps: Run the following command show user ip-user-mapping all type SSO For all the IPs returned, run these two commands to clear the users: clear user-cache-mp <above ips> clear user-cache <above ips> PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies. All Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations. Workarounds and Mitigations Using a different authentication method and disabling SAML authentication will completely mitigate the issue. Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability: (a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. (b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP. Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks. Acknowledgments Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue. Frequently Asked Questions Q. Are there any indicators of compromise or breach due to this vulnerability? Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions. Any unusual usernames or source IP addresses in the logs are indicators of a compromise. Q. Is this a remote code execution (RCE)? No. This is not a remote code execution vulnerability. Q. Has this been exploited in the wild? No evidence of active exploitation has been identified as of this time. Q. What logs should be examined for clues of a compromise? Authentication Logs User-ID Logs ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature) Custom Reports (Monitor > Report) GlobalProtect Logs (PAN-OS 9.1.0 and above) Timeline 2020-06-29 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvvHXuNLKJtyKPYoAQj3Bg//cF69GTtyA8Zi9oYCigG9e7+bYxT650mv UZVWF8eGQ32duXPJve1qL/CAqTdICGxy81WDHAs0Ry8Nd5ePLOGqe73q9AFVxJfx ohunjMaA31MLt6ENQFGxWPhkRfOylVigg1j6YGb8lFPu9nKbp3Xy5xH6LFz8umMz +Uzgt1UMj9/oh+F4sfCe5YnZnme5DB5GRjbNedWYi17OUTWdICJU3vXPLE9JT6Xs lE3H7BvBXN0dmbMW8cIYsJJfzArW1YYmjK1uyKZD/HrZf9Sg4LmnUAdRO1FNrtKO fPRqcDpP2pcznYnGWy8m1xBIC68MGvCDvrOnzHpLCiRHXgb2bZJkO3PB4TNrVcBC horkXK4dJkAgQ6Zxgp6JqeaTps/+1zkM/LDkJIc/zWp0UcxECP2k+49Ld/M7/K8R i6bbAP4FvZXjHJUmN00rKv1pxI1ZS5nt0Kia/7m5lJfOmKqt84kqMLeR3tc4u+e2 mIuuA9MWrWuA5k6ELP3YcIweQ4FdVELCgRosBBrzS0PHHuEBvC9oQkh3C7HLyqdd VEnFuzRqxhTbpO/ItfcEKHqv5f9MSH8lVq1Hop7E8NsPckhb0N+AoYLTfSac5wBg 3Zego/4TGZbUb8YqapmGZLxX/RShw+pQmUHHEH+5g5IMMhATp2NibAit4xMxLN7z do7OmaHvoOI= =95un -----END PGP SIGNATURE-----