Red alert: Palo Alto firewall authentication bypass flaw ripe for exploitation

US Cyber Command highlights Palo Alto Networks security patch, citing foreign espionage

Palo Alto Networks Vulnerability Could Be Exploited By Foreign Hackers: Feds

A critical security vulnerability found in many Palo Alto Networks network appliances could be exploited by foreign nation-state actors, according to the USA government.

The Department of Homeland Security and U.S. Cyber Command said Monday that a "critical" flaw in technology from Palo Alto Networks, a multinational security firm based in California, could enable attackers "with network access" to obtain sensitive information.

US Cyber Command tweeted: "Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon".

The software flaw, officially dubbed CVE-2020-2021, was designated a 10.0 on the severity scale in the U.S. National Institute of Science and Technology's National Vulnerability Database. After that, hackers can leverage their presence to gain access to the rest of the network.

The bug, listed as a maximum level ten vulnerability by the team that found it, is thought to be actively at risk of being exploited by advanced cyber attackers, including nation states.

US Cyber Command warned that Palo Alto Networks, a US firewall provider used by more than 70,000 companies around the world, had found a bug in its technology that put log-in apps created to make workers more secure at risk.

While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.

The flaw lies in the software that powers several Palo Alto Networks' firewalls and enterprise VPN appliances, which let employees access their corporate network from home - access that is crucial during the pandemic - while keeping unauthorized users out. They include: PAN-OS next gen firewalls and Panorama web interfaces; GlobalProtect Portal; GlobalProtect Gateway; Authentication and Captive Portal; GlobalProtect Clientless VPN; and Prisma Access. Palo Alto Networks has provided instructions for doing that in a way that doesn't break the authentication capability for users. Moreover, enabling the "Validate Identity Provider Certificate" option in the SAML Identity Provider Server Profile will prevent hackers from exploiting the bug. However, some third-party vendor integrations require the "validate identity provider certificate" option be disabled during the set up process.

If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.

Latest News