Palo Alto Networks Security Advisories / CVE-2021-3046

CVE-2021-3046 PAN-OS: Improper SAML Authentication Vulnerability in GlobalProtect Portal

047910
Severity 6.8 · MEDIUM
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact NONE

Description

An improper authentication vulnerability exists in Palo Alto Networks PAN-OS software that enables a SAML authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.19;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.9;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.5.

PAN-OS 10.1 versions are not impacted.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1None10.1.*
PAN-OS 10.0< 10.0.5>= 10.0.5
PAN-OS 9.1< 9.1.9>= 9.1.9
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.19>= 8.1.19

Required Configuration for Exposure

This vulnerability applies only to PAN-OS firewalls configured to have a GlobalProtect portal or gateway with SAML authentication enabled.

Severity: MEDIUM

CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-287 Improper Authentication

Solution

This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.5, and all later PAN-OS versions.

Workarounds and Mitigations

You can disable SAML authentication for any impacted GlobalProtect portal or gateway until you upgrade the PAN-OS firewall to a fixed version.

Acknowledgments

Palo Alto Networks thanks Alexander Harvey for discovering and reporting this issue.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.