CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification

Palo Alto Networks Security Advisories / CVE-2020-2050

CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification

Severity 8.2 · HIGH

Attack Vector NETWORK

Scope UNCHANGED

Attack Complexity LOW

Confidentiality Impact HIGH

Privileges Required NONE

Integrity Impact LOW

User Interaction NONE

Availability Impact NONE

NVD JSON

Published 2020-11-11

Updated 2020-11-19

Reference PAN-146650

Discovered internally

Description

An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication.

Impacted features that use SSL VPN with client certificate verification are:

GlobalProtect Gateway,
GlobalProtect Portal,
GlobalProtect Clientless VPN,
GlobalProtect Large Scale VPN

In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.17;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.11;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.5;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Product Status

Versions	Affected	Unaffected
PAN-OS 10.0	< 10.0.1	>= 10.0.1
PAN-OS 9.1	< 9.1.5	>= 9.1.5
PAN-OS 9.0	< 9.0.11	>= 9.0.11
PAN-OS 8.1	< 8.1.17	>= 8.1.17

Required Configuration for Exposure

This issue is only applicable to PAN-OS appliances using the GlobalProtect VPN, gateway, or portal configured to allow users to authenticate with client certificate authentication.

This issue can not be exploited if client certificate authentication is not in use.

Other forms of authentication are not impacted by this issue.

Severity:HIGH

CVSSv3.1 Base Score:8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-285 Improper Authorization

Solution

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59884 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2050.

This issue can be mitigated by configuring GlobalProtect to require users to authenticate with their credentials. Other authentication methods are not impacted by this issue.

Acknowledgments

This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review.

Frequently Asked Questions

Q. Is this a remote code execution (RCE)?

No. This is not a remote code execution vulnerability.

Q. Has this been exploited in the wild?

No evidence of active exploitation has been identified as of this time. This issue was proactively found and fixed by Palo Alto Networks.

Q. Is IPSec based VPN vulnerable to this issue?

IPSec based VPN is not impacted by this vulnerability.

Q. Is GlobalProtect pre-logon feature affected by this issue?

GlobalProtect pre-logon feature using client certificates for authentication is affected by this issue.

Timeline

2020-11-19 Updated to mention LSVPN and IPSec based VPN is not affected.

2020-11-13 New workaround is available.

2020-11-11 Initial publication