CVE-2020-2050

Name of the Vulnerable Software and Affected Versions: PAN-OS versions prior to 8.1.17 PAN-OS versions prior to 9.0.11 PAN-OS versions prior to 9.1.5 PAN-OS versions prior to 10.0.1

Description: An authentication bypass issue exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software, allowing an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication. Impacted features include GlobalProtect Gateway, GlobalProtect Portal, and GlobalProtect Clientless VPN. In configurations where client certificate verification is used with other authentication methods, the protections added by the certificate check are ignored.

Recommendations: For PAN-OS versions prior to 8.1.17, update to version 8.1.17 or later. For PAN-OS versions prior to 9.0.11, update to version 9.0.11 or later. For PAN-OS versions prior to 9.1.5, update to version 9.1.5 or later. For PAN-OS versions prior to 10.0.1, update to version 10.0.1 or later. As a temporary workaround, consider restricting access to the GlobalProtect SSL VPN component until a patch is available.