Palo Alto Networks Security Advisories / CVE-2020-2021

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

047910
Severity 10 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope CHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile.

Resources that can be protected by SAML-based single sign-on (SSO) authentication are:

GlobalProtect Gateway,
GlobalProtect Portal,
GlobalProtect Clientless VPN,
Authentication and Captive Portal,
PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,
Prisma Access

In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Product Status

PAN-OS

VersionsAffectedUnaffected
9.1< 9.1.3>= 9.1.3
9.0< 9.0.9>= 9.0.9
8.1< 8.1.15>= 8.1.15
8.08.0.*
7.17.1.*

Required Configuration for Exposure

This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile.

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile.

Detailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.

To check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider.

To check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider

To check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider.

Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions.

Severity: CRITICAL

CVSSv3.1 Base Score: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Weakness Type

CWE-347 Improper Verification of Cryptographic Signature

Solution

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Important: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication

Details of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.

To eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy

Restarting firewalls and Panorama eliminates any unauthorized sessions on the web interface.

To clear any unauthorized user sessions in Captive Portal take the following steps:

Run the following command

show user ip-user-mapping all type SSO

For all the IPs returned, run these two commands to clear the users:

clear user-cache-mp <above ips>
clear user-cache <above ips>

PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies.

All Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations.

Workarounds and Mitigations

Using a different authentication method and disabling SAML authentication will completely mitigate the issue.

Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:

(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.

(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.

Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.

Acknowledgments

Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue.

Frequently Asked Questions

Q. Are there any indicators of compromise or breach due to this vulnerability?

Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions. Any unusual usernames or source IP addresses in the logs are indicators of a compromise.

Q. Is this a remote code execution (RCE)?

No. This is not a remote code execution vulnerability.

Q. Has this been exploited in the wild?

No evidence of active exploitation has been identified as of this time.

Q. What logs should be examined for clues of a compromise?

Authentication Logs

User-ID Logs

ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature)

Custom Reports (Monitor > Report)

GlobalProtect Logs (PAN-OS 9.1.0 and above)

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.