CVE-2020-2021

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Cuando la autenticación Security Assertion Markup Language (SAML) está habilitada y la opción “Validate Identity Provider Certificate” está deshabilitada (desmarcada), la verificación inapropiada de firmas en la autenticación SAML de PAN-OS permite a un atacante basado en la red no autenticado acceder a recursos protegidos. El atacante debe tener acceso de red al servidor vulnerable para explotar esta vulnerabilidad. Este problema afecta a PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.3; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.9; PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.15, y todas las versiones de PAN-OS 8.0 (EOL). Este problema no afecta a PAN-OS versión 7.1. Este problema no puede ser explotado si SAML no es usado para la autenticación. Este problema no puede ser explotado si la opción “Validate Identity Provider Certificate” está habilitada (marcada) en el SAML Identity Provider Server Profile. Los recursos que pueden ser protegidos mediante la autenticación de inicio de sesión único basada en SAML (SSO) son: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication y Captive Portal, los firewalls de PAN-OS de próxima generación (PA-Series, VM-Series) e interfaces web Panorama, Prisma Access en el caso de GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal y Prisma Access, un atacante no autenticado con acceso a la red para los servidores afectados puede conseguir acceso a recursos protegidos si es permitido por la autenticación configurada y las políticas de Seguridad. No hay impacto en la integridad y disponibilidad de la puerta de enlace, portal o servidor VPN. Un atacante no puede inspeccionar ni alterar las sesiones de los usuarios habituales. En el peor de los casos, esta es una vulnerabilidad de gravedad crítica con una Puntuación Base CVSS de 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). En el caso de las interfaces web de PAN-OS y Panorama, este problema permite a un atacante no autenticado con acceso de red a las interfaces web de PAN-OS o Panorama iniciar sesión como administrador y llevar a cabo acciones administrativas. En el peor de los casos, esta es una vulnerabilidad de gravedad crítica con un Puntaje Base CVSS de 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Si las interfaces web solo son accesibles para una red de administración restringida, entonces el problema se reduce a una Puntuación Base CVSS de 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks no tiene conocimiento de ningún intento malicioso para explotar esta vulnerabilidad

Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.

*Credits: Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-04 CVE Reserved
2020-06-29 CVE Published
2020-06-29 First Exploit
2022-03-25 Exploited in Wild
2022-04-15 KEV Due Date
2024-02-07 EPSS Updated
2024-09-16 CVE Updated

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/mr-r3b00t/CVE-2020-2021	2020-06-29

URL	Date	SRC

URL	Date	SRC
https://security.paloaltonetworks.com/CVE-2020-2021	2020-07-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 8.0.0 <= 8.0.20 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.0.0 <= 8.0.20"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 8.1.0 < 8.1.15 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.15"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 9.0.0 < 9.0.9 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.9"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 9.1.0 < 9.1.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.3"		-		Affected