CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification
An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication.
Impacted features that use SSL VPN with client certificate verification are:
GlobalProtect Clientless VPN,
GlobalProtect Large Scale VPN
In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.17;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.11;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.5;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
|PAN-OS 10.0||< 10.0.1||>= 10.0.1|
|PAN-OS 9.1||< 9.1.5||>= 9.1.5|
|PAN-OS 9.0||< 9.0.11||>= 9.0.11|
|PAN-OS 8.1||< 8.1.17||>= 8.1.17|
Required Configuration for Exposure
This issue is only applicable to PAN-OS appliances using the GlobalProtect VPN, gateway, or portal configured to allow users to authenticate with client certificate authentication.
This issue can not be exploited if client certificate authentication is not in use.
Other forms of authentication are not impacted by this issue.
CVSSv3.1 Base Score:8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions.
Workarounds and Mitigations
Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59884 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2050.
This issue can be mitigated by configuring GlobalProtect to require users to authenticate with their credentials. Other authentication methods are not impacted by this issue.
Frequently Asked Questions
Q. Is this a remote code execution (RCE)?
No. This is not a remote code execution vulnerability.
Q. Has this been exploited in the wild?
No evidence of active exploitation has been identified as of this time. This issue was proactively found and fixed by Palo Alto Networks.
Q. Is IPSec based VPN vulnerable to this issue?
IPSec based VPN is not impacted by this vulnerability.
Q. Is GlobalProtect pre-logon feature affected by this issue?
GlobalProtect pre-logon feature using client certificates for authentication is affected by this issue.