CISA: Nation-State Attackers Likely to Take Aim at Palo Alto Networks Bug

APT FruityArmor and SandCat

An authentication-bypass vulnerability allows attackers to access network assets without credentials when SAML is enabled on certain firewalls and enterprise VPNs.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication.

The Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a tweet by the agency.

“Foreign APTs will likely attempt exploit soon,” U.S. Cyber Command tweeted. “We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.”

Palo Alto Networks on Monday posted an advisory on the vulnerability, which affects the devices’ operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.

Palo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices.

The vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the “Validate Identity Provider Certificate” option is disabled (unchecked), according to researchers.

This combination allows for “an unauthenticated network-based attacker to access protected resources” through an  “improper verification of signatures in PAN-OS SAML authentication,” according to Palo Alto’s alert.

“The attacker must have network access to the vulnerable server to exploit this vulnerability,” researchers added.

Palo Alto provided details for how users of potentially affected devices can check if their device is in the configuration that allows for exploitation of the flaw.

“Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions,” researchers added in the advisory.

CISA doesn’t typically issue a warning on just any security flaw in vendors’ enterprise products. However, the agency’s cause for concern seems to be that the vulnerability has been rated the highest score on the CVSSv3 severity scale—a 10 out of 10.

This rating means it is easy to exploit and doesn’t require advanced technical skills. Attackers also don’t need to infiltrate the device they target itself to exploit the flaw; they can do so remotely via the internet.

Users noted that they have been aware of the flaw for some time, so they also welcomed the fix from Palo Alto. “This was a great concern,” wrote Twitter user Sihegee USA / Social, who suggested that people using devices with Yhoo and AT&T email services might be particularly affected by the issue. “At least now we have a patch.”

When updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the “Identity Provider Certificate” before upgrading, to ensure that users of the device can continue to authenticate successfully, according to Palo Alto.

Details of all actions required before and after upgrading PAN-OS are available from the company online.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.


Suggested articles

Operationalizing Threat Intelligence with User-Driven Automation

To truly achieve operationalized threat intelligence, an investment must be made in an underlying threat intelligence management platform that will enable an organization to harness the power of threat intelligence and translate that threat intelligence into action.

Cutting Through the Noise from Daily Alerts

Cutting Through the Noise from Daily Alerts

The biggest challenge for security teams today is the quality of the threat intelligence platforms and feeds. How much of the intel is garbage and unusable? Threat intelligence process itself spans and feeds into many external and internal systems and applications. Without actionable data, it is impossible to understand the relevance and potential impact of a threat. Learn how Threat Intelligence management plays a role to help prioritize and act fast.