US Cyber Command says foreign hackers will most likely exploit new PAN-OS security bug
US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks.
“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” US Cyber Command said in a tweet today.
“Foreign APTs will likely attempt [to] exploit soon,” the agency added, referring to APT (advanced persistent threat), a term used by the cyber-security industry to describe nation-state hacker groups.
CVE-2020-2021 – a rare 10/10 vulnerability
US Cyber Command officials are right to be panicked. The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 score on the CVSSv3 severity scale.
A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn’t require advanced technical skills, and it’s remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device.
In technical terms, the vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials.
Once exploited, the bug allows hackers to change PAN-OS settings and features. While changing OS features seems innocuous, and of little consequence, the bug is actually quite a major issue because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices.
PAN-OS devices must be in a certain configuration
In a security advisory published today, Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable.
PAN engineers said the bug is only exploitable if the ‘Validate Identity Provider Certificate’ option is disabled and if SAML (Security Assertion Markup Language) is enabled.
Devices that support these two options — and are vulnerable to attacks — include systems like:
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Authentication and Captive Portal
- PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
- Prisma Access systems
These two settings are not in the vulnerable positions by default and require manual user intervention to be set in that specific configuration — meaning that not all PAN-OS devices are vulnerable to attacks by default.
Some devices have been configured to be vulnerable
However, according to Will Dormann, vulnerability analyst for CERT/CC, several vendor manuals instruct PAN-OS owners to set up this exact particular configuration when using third-party identity providers — such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta.
This means that while the vulnerability looks harmless at a first glance due to the complex configuration needed to be exploitable, there are likely quite a few devices configured in this vulnerable state, especially due to the widespread use of Duo authentication in the enterprise and government sector.
As a result, owners of PAN-OS devices are advised to immediately review device configurations and apply the latest patches provided by Palo Alto Networks if their devices are running in a vulnerable state.
The list of vulnerable PAN-OS releases where CVE-2020-2021 is known to work are listed below.
Following Palo Alto’s vulnerability disclosure today, several respected figures in the cyber-security community have echoed the US Cyber Command warning and have also urged system administrators to patch PAN-OS devices as soon as possible, also anticipating attacks from nation-state threat actors to follow in a matter of days.
Palo Alto Networks did not return an email seeking comment on the US Cyber Command’s warning.