View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 30, 2020updated 07 Jul 2022 5:04am

Urgent Call to Patch New Palo Alto Vulnerability: “Foreign APTs will Attempt Exploit Soon”

"Foreign APTs will likely attempt exploit soon"

By CBR Staff Writer

US Cyber Command has warned users to urgently patch a major new vulnerability in PAN-OS, Palo Alto Networks’ operating system for its firewalls and enterprise Virtual Private Network (VPN) appliances. The new vulnerability has the highest possible CVSS score of 10. 

The bug gives an attacker the ability to fully bypass a firewall and gain unauthenticated admin access to vulnerable devices: about as bad as it gets, particularly from a security vendor. 

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon”, the Department of Defense organisation warned today. Palo Alto says it has not seen exploits in the wild yet, but given the severity and apparent ease of exploitation, it shouldn’t take long for threat actors to reverse engineer the fix and work out how to exploit the vulnerability,.

The bug will be the second major vulnerability from Palo Alto that has attracted Advanced Persistent Threat (APT) attention in the past year.

CVE-2019-1579 has been widely exploited. (Known vulnerabilities affecting VPN products from Pulse Secure and Fortinet have also been targeted). 

“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions,” Palo Alto said.

The security company added: “In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0.”

If the web interfaces are only accessible to a restricted management network, then the issue is “lowered” to a CVSS Base Score of 9.6, the company added; hardly a reassuring drop in severity.

For the vulnerability to be exploitable users would have to have Security Assertion Markup Language (SAML) enabled and ‘Validate Identity Provider Certificate’ option disabled. The combination of settings is not unlikely; it’s actively recommended in some circumstances.

SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration.

As security firm Tenable notes, these providers include:

The quickest mitigation for users it to disable SAML authentication. Palo Alto’s guidance on mitigation and upgrades is here.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.