Attacker Value
Very High
4

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

Disclosure Date: June 29, 2020

Exploitability

(1 user assessed) High
Attack Vector
Unknown
Privileges Required
Unknown
User Interaction
Unknown

Description

When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

Add Assessment

6
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Technical details are a little sparse in the advisory, but this reads more like a bad software configuration or design than a vulnerability – one that may be indicative of a systemic problem in SAML implementations, not unlike the issues with SSL/TLS in practice.

Disabling identity provider (IdP) verification is akin to disabling SSL/TLS certificate verification, which is similarly the case here: many IdPs will generate self-signed certs, rendering verification all but impossible unless the software supports trusting individual certs. It is easier to leave a box unchecked. A box that seems to imply verifying only CA-signed certs. Palo Alto states as much in their advisory:

Many popular IdPs generate self-signed IdP certificates by default and the ‘Validate Identity Provider Certificate’ option cannot be enabled.

It would not surprise me if many organizations have this option disabled, regardless of what the default configuration may be (I haven’t been able to check), since widespread documentation suggests doing so. Case in point is Okta’s documentation on setting up SAML for Palo Alto products:

Many other IdPs, including Microsoft’s Azure Active Directory, suggest the same. This sets a dangerous precedent for other software to follow. In the worst case, this problem is already endemic in SAML implementations, regardless of the circumstances here. An audit of SAML implementations may be a worthy endeavor.

You should still patch or otherwise fix this configuration if at all possible. Palo Alto suggests using a CA-signed cert when available. Ideally, certificates should be trusted on a one-by-one basis, which is an unsustainable model for SSL/TLS but adequate for SAML. Of course, the software must support this, and the documentation must advise it. This was not the case here, apparently.

General Information

Technical Analysis

On June 29, 2020, Palo Alto Networks published a security advisory for CVE-2020-2021, a vulnerability in the way signatures are verified in the Palo Alto Networks operating system’s (PAN-OS) security assertion markup language (SAML) authentication. The vulnerability exists when SAML authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled, which then allows unauthenticated network-based attackers to access protected resources. According to the advisory, successful exploitation requires that an attacker have network access to the vulnerable server.

Of note: SAML authentication enablement is not the default authentication scheme; however, when SAML authentication is enabled, the Validate Identify Provider Certificate option is disabled by default. For further information, refer to Palo Alto’s notes on conditions required for exposure.

Rapid7’s Project Sonar identified 69,501 instances of Palo Alto’s Global Protect VPN on the public internet. There are no known public exploits for this vulnerability as of June 29, 2020. CVE-2020-2021 has a CVSSv3 base score of 10.0.

Affected products include:

  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • All versions of PAN-OS 8.0 (EOL)

PAN-OS 7.1 is unaffected, according to Palo Alto’s advisory.

Rapid7 analysis: Like most misconfiguration issues and vulnerabilities affecting authentication mechanisms or cryptographic implementations, Rapid7 researchers rate this vulnerability as having high attacker value. Generally speaking, firewalls, VPNs, and other internet-facing security products are attractive targets for both APT and commodity attackers. The COVID-19 pandemic amplifies this risk, with a large portion of the workforce having moved to remote work in a short period of time—which strains many security and IT teams’ ability to implement strong mitigating controls while maintaining worker accessibility.

While this particular advisory is specific to PAN-OS, it’s likely that other vendors’ SAML implementations are vulnerable to similar issues. Developers and the broader security community would be well-advised to ensure that code with implications for SAML is reviewed thoroughly, since the severity of vulnerabilities affecting authentication mechanisms is inherently high.

Guidance: Palo Alto customers should update PAN-OS to an unaffected version as soon as possible; if you are not able to update, disabling SAML authentication is an effective mitigation strategy. Beyond the specific mitigations for this advisory, we strongly encourage organizations to avoid putting any sort of management appliance, including those running PAN-OS, online in a way that allows public IP access.