PAN-OS, the operating system used to run firewalls and enterprise VPN appliances from Palo Alto Networks has disclosed a critical security flaw. The vulnerability, known as CVE-2020-2021, received a rating of 10/10 on the CVSSv3 severity scale, which means it is easy to exploit and does not require advanced technical skills on the attackers’ end. The vulnerability is also remotely exploitable over the Internet, so attackers do not need to have a foothold in the network to exploit this vulnerability. CVE-2020-2021 is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials. Once exploited, the attackers can change PAN-OS settings and features, and the bug could allow the threat actor to disable firewalls or VPN access-control policies. The US Cyber Command on Monday (June 29th) warned all companies using Palo Alto Networks devices to update as soon as possible, because Advanced Persistent Threat (APT) actors would soon be attempting to exploit this vulnerability.
Anyone using the PAN-OS from Palo Alto should check to see if their devices are vulnerable to this bug. Mitigating factors from Palo Alto state that the devices must be in a certain configuration for the vulnerability to be exploited. The bug can only be exploited if the “Validate Identity Provider Certificate” option is disabled and if “Security Assertation Markup Language” (SAML) is enabled. These two options are not set by default and require a user to manually select these options in this way. Manuals for PAN-OS instruct administrators to configure their systems in a way that leaves them vulnerable when using third party multi-factor authentication applications such as DUO and OKTA. Because of this, a lot of people have set up their PAN-OS systems to be vulnerable. Checking configuration to ensure these options are set correctly, then applying patches as soon as possible are the best ways to prevent an attack. These types of vulnerabilities are picked up by threat actors quickly and will be exploited for the next several years.
The security advisory can be found here: https://security.paloaltonetworks.com/CVE-2020-2021
More can be read here: https://www.zdnet.com/article/us-cyber-command-says-foreign-hackers-will-most-likely-exploit-new-pan-os-security-bug/?&web_view=true