Sign up for our newsletter
Technology / Cybersecurity

Urgent Call to Patch New Palo Alto Vulnerability: “Foreign APTs will Attempt Exploit Soon”

US Cyber Command has warned users to urgently patch a major new vulnerability in PAN-OS, Palo Alto Networks’ operating system for its firewalls and enterprise Virtual Private Network (VPN) appliances. The new vulnerability has the highest possible CVSS score of 10. 

The bug gives an attacker the ability to fully bypass a firewall and gain unauthenticated admin access to vulnerable devices: about as bad as it gets, particularly from a security vendor. 

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon”, the Department of Defense organisation warned today. Palo Alto says it has not seen exploits in the wild yet, but given the severity and apparent ease of exploitation, it shouldn’t take long for threat actors to reverse engineer the fix and work out how to exploit the vulnerability,.

critical PAN-OS vulnerability Palo AltoThe bug will be the second major vulnerability from Palo Alto that has attracted Advanced Persistent Threat (APT) attention in the past year.

White papers from our partners

CVE-2019-1579 has been widely exploited. (Known vulnerabilities affecting VPN products from Pulse Secure and Fortinet have also been targeted). 

“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions,” Palo Alto said.

The security company added: “In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0.”

If the web interfaces are only accessible to a restricted management network, then the issue is “lowered” to a CVSS Base Score of 9.6, the company added; hardly a reassuring drop in severity.

For the vulnerability to be exploitable users would have to have Security Assertion Markup Language (SAML) enabled and ‘Validate Identity Provider Certificate’ option disabled. The combination of settings is not unlikely; it’s actively recommended in some circumstances.

SSO, two-factor authentication, and identity services recommend this configuration or may only work using this configuration.

As security firm Tenable notes, these providers include:

The quickest mitigation for users it to disable SAML authentication. Palo Alto’s guidance on mitigation and upgrades is here.

This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.