The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication.
The Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a tweet by the agency.
âForeign APTs will likely attempt exploit soon,â U.S. Cyber Command tweeted. âWe appreciate @PaloAltoNtwksâ proactive response to this vulnerability.â
Palo Alto Networks on Monday posted an advisory on the vulnerability, which affects the devicesâ operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.
Palo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices.
The vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the âValidate Identity Provider Certificateâ option is disabled (unchecked), according to researchers.
This combination allows for âan unauthenticated network-based attacker to access protected resourcesâ through an âimproper verification of signatures in PAN-OS SAML authentication,â according to Palo Altoâs alert.
âThe attacker must have network access to the vulnerable server to exploit this vulnerability,â researchers added.
Palo Alto provided details for how users of potentially affected devices can check if their device is in the configuration that allows for exploitation of the flaw.
âAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions,â researchers added in the advisory.
CISA doesnât typically issue a warning on just any security flaw in vendorsâ enterprise products. However, the agencyâs cause for concern seems to be that the vulnerability has been rated the highest score on the CVSSv3 severity scaleâa 10 out of 10.
This rating means it is easy to exploit and doesnât require advanced technical skills. Attackers also donât need to infiltrate the device they target itself to exploit the flaw; they can do so remotely via the internet.
Users noted that they have been aware of the flaw for some time, so they also welcomed the fix from Palo Alto. âThis was a great concern,â wrote Twitter user Sihegee USA / Social, who suggested that people using devices with Yhoo and AT&T email services might be particularly affected by the issue. âAt least now we have a patch.â
When updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the âIdentity Provider Certificateâ before upgrading, to ensure that users of the device can continue to authenticate successfully, according to Palo Alto.
Details of all actions required before and after upgrading PAN-OS are available from the company online.
BEC and enterprise email fraud is surging, but DMARC can help â if itâs done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, âDMARC: 7 Common Business Email Mistakes.â This technical âbest practicesâ session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.
attendee.gotowebinar.com/register/441045308082589963?source=art
attendee.gotowebinar.com/register/441045308082589963?source=art
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.
security.paloaltonetworks.com/CVE-2020-2021
threatpost.com/newsletter-sign/
twitter.com/CNMF_CyberAlert/status/1277674547542659074
twitter.com/Sihegee
twitter.com/Sihegee/status/1277677527943671809