CVE-2020-2021

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions prior to 9.1.3 Palo Alto Networks PAN-OS versions prior to 9.0.9 Palo Alto Networks PAN-OS versions prior to 8.1.15 Palo Alto Networks PAN-OS 8.0 (EOL)

Description When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled, improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this issue. Resources that can be protected by SAML-based single sign-on (SSO) authentication include GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls, and Panorama web interfaces, Prisma Access. In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. Researchers have discovered almost 70,000 devices based on PAN-OS in the network, with 40% of them protecting networks in the US.

Recommendations As a temporary workaround, consider enabling the 'Validate Identity Provider Certificate' option in the SAML Identity Provider Server Profile for all affected versions. For PAN-OS versions prior to 9.1.3, update to version 9.1.3 or later. For PAN-OS versions prior to 9.0.9, update to version 9.0.9 or later. For PAN-OS versions prior to 8.1.15, update to version 8.1.15 or later. For PAN-OS 8.0 (EOL), consider upgrading to a supported version.