When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
{"id": "CVE-2020-2021", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-2021", "description": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.", "published": "2020-06-29T15:15:00", "modified": "2020-07-06T14:39:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2021", "reporter": "psirt@paloaltonetworks.com", "references": ["https://security.paloaltonetworks.com/CVE-2020-2021"], "cvelist": ["CVE-2020-2021"], "immutableFields": [], "lastseen": "2022-03-23T14:58:15", "viewCount": 546, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:365547B1-E741-4CB5-94CD-AEB8EE1DACA3", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:B05FF131-9188-45DC-8317-99DD9D7A6356"]}, {"type": "cisa", "idList": ["CISA:A5E983E287BE1A6C13AEFAD3B3E1C93E"]}, {"type": "githubexploit", "idList": ["6D825BB4-8B86-5C07-8265-B2BF353F672A"]}, {"type": "nessus", "idList": ["PALO_ALTO_CVE-2020-2021.NASL"]}, {"type": "paloalto", "idList": ["PA-CVE-2020-2021", "PA-CVE-2020-2034"]}, {"type": "threatpost", "idList": ["THREATPOST:14236108003AC6A3E1AB861A15ECA88F", "THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:E33A690C7225E32F19E8E6C4C27B19F9"]}], "rev": 4}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:B05FF131-9188-45DC-8317-99DD9D7A6356"]}], "wildExploited": true}, "score": {"value": 3.0, "vector": "NONE"}, "twitter": {"counter": 1, "modified": "2020-12-09T22:03:10", "tweets": [{"link": "https://twitter.com/BuhoOscuro/status/1343660938428297221", "text": "might be helpful & proactive to BOLO for exploitation of the SAML auth bypass vuln in PAN-OS products, cve-2020-2021.\nhigh-profile exploitation of a particular vector or software generates interest in similar vulns (this often happens with Struts & WebLogic announcements too)"}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:365547B1-E741-4CB5-94CD-AEB8EE1DACA3", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:B05FF131-9188-45DC-8317-99DD9D7A6356"]}, {"type": "cisa", "idList": ["CISA:A5E983E287BE1A6C13AEFAD3B3E1C93E"]}, {"type": "githubexploit", "idList": ["6D825BB4-8B86-5C07-8265-B2BF353F672A"]}, {"type": "nessus", "idList": ["PALO_ALTO_CVE-2020-2021.NASL"]}, {"type": "paloalto", "idList": ["PA-CVE-2020-2021"]}, {"type": "threatpost", "idList": ["THREATPOST:14236108003AC6A3E1AB861A15ECA88F"]}]}, "affected_software": {"major_version": [{"name": "paloaltonetworks pan-os", "version": 8}, {"name": "paloaltonetworks pan-os", "version": 8}, {"name": "paloaltonetworks pan-os", "version": 9}, {"name": "paloaltonetworks pan-os", "version": 9}]}, "vulnersScore": 3.0}, "_state": {"wildexploited": 0, "dependencies": 1659879600, "score": 1659823045, "cisa_kev_wildexploited": 1660152412, "affected_software_major_version": 1671590614}, "_internal": {"score_hash": "0f04c556395491057f83fc8b739d5de4"}, "cna_cvss": {"cna": "Palo Alto Networks, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 10.0}}}, "cpe": ["cpe:/o:paloaltonetworks:pan-os:8.0.20"], "cpe23": ["cpe:2.3:o:paloaltonetworks:pan-os:8.0.20:*:*:*:*:*:*:*"], "cwe": ["CWE-347"], "affectedSoftware": [{"cpeName": "paloaltonetworks:pan-os", "version": "8.0.20", "operator": "le", "name": "paloaltonetworks pan-os"}, {"cpeName": "paloaltonetworks:pan-os", "version": "8.1.15", "operator": "lt", "name": "paloaltonetworks pan-os"}, {"cpeName": "paloaltonetworks:pan-os", "version": "9.0.9", "operator": "lt", "name": "paloaltonetworks pan-os"}, {"cpeName": "paloaltonetworks:pan-os", "version": "9.1.3", "operator": "lt", "name": "paloaltonetworks pan-os"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:paloaltonetworks:pan-os:8.0.20:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.0.20", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:paloaltonetworks:pan-os:8.1.15:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.1.15", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:paloaltonetworks:pan-os:9.0.9:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.9", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:paloaltonetworks:pan-os:9.1.3:*:*:*:*:*:*:*", "versionStartIncluding": "9.1.0", "versionEndExcluding": "9.1.3", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://security.paloaltonetworks.com/CVE-2020-2021", "name": "N/A", "refsource": "CONFIRM", "tags": ["Vendor Advisory"]}]}
{"cisa": [{"lastseen": "2021-02-24T18:06:39", "description": "Palo Alto Networks has released security updates to address a vulnerability affecting the use of Security Assertion Markup Language in PAN-OS. An unauthenticated attacker with network access could exploit this vulnerability to obtain sensitive information.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Palo Alto Security Advisory for [CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021 >) and apply the necessary updates or workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/06/29/palo-alto-releases-security-updates-pan-os>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-29T00:00:00", "type": "cisa", "title": "Palo Alto Releases Security Updates for PAN-OS ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021"], "modified": "2020-06-29T00:00:00", "id": "CISA:A5E983E287BE1A6C13AEFAD3B3E1C93E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/06/29/palo-alto-releases-security-updates-pan-os", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-07T14:20:24", "description": "Amid the Colonial Pipeline and JBS ransomware attacks that sparked shockwaves among media worldwide, news [broke](<https://twitter.com/WilliamTurton/status/1400909892018487304>) that attackers were able to compromise Colonial Pipeline through a legacy VPN account. The account lacked multifactor authentication (MFA) and wasn\u2019t in active use within the business, a scenario unlikely to be unique to the fuel pipeline.\n\nLeaked creds or the lack of MFA won\u2019t be the only reason VPNs are a weakness for most security organizations. A laundry list of vulnerabilities in security appliances found in the last 12 months \u2014 including [Palo Alto Networks](<https://security.paloaltonetworks.com/CVE-2020-2021>), [F5](<https://www.zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices/>) and [Citrix](<https://www.cpomagazine.com/cyber-security/massive-citrix-data-breach-thought-to-be-the-work-of-iranian-hackers/>) (or even the infamous [2020 SolarWind](<https://threatpost.com/microsoft-fireeye-malware-solarwinds/164512/>)[s attack](<https://threatpost.com/microsoft-fireeye-malware-solarwinds/164512/>)) \u2014 provides further evidence. But as an attacker, when it comes to targeting VPNs and other security appliances, it\u2019s not the relative abundance of vulnerabilities that make appliances a prime target, it\u2019s because organizations put too much trust in security tools.\n\nSecurity tools are often the weakest link for organizations, and can be an attacker\u2019s best way into a network. Security solutions can make life harder for an attacker like me, but they also present the greatest opportunity.\n\n## Your Appliances Rank High in Attackability\n\nOrganizations purchase multi-purpose security solutions like VPNs, firewalls, monitoring solutions or network-segmentation devices for simplicity. A single security solution covers multiple security functions, and \u201cchecks the box\u201d on many of the security controls you need. But the problem with purchasing one security solution for everything, is that you have a single point of failure. If the box is compromised, everything fails.\n\nThis is the desired outcome of most attack campaigns. As attackers [perform their own calculus](<https://threatpost.com/6-questions-attackers-ask-exploit/162651/>) to determine the ROI of executing a campaign, the costs of targeting security solutions become insignificant. A compromised VPN can lead to deep network access and lateral movement through the network. As an attacker, I only have to pick a single lock. If I do this, not only have I gained access to the network, but to a highly trusted box that awards me a lot of privilege.\n\n## In Play\n\nI was recently asked by a financial services institution to access their \u201ccrown jewels.\u201d All it took for me to compromise their entire network was:\n\n 1. Figuring out what VPN they used (easy, I could figure that out by scanning the internet)\n\n 2. Finding a vulnerability in this VPN.\n\nThat\u2019s exactly what I did \u2014 and that\u2019s how countless attackers approach their targets on an ongoing basis. Because the vulnerability I discovered gave me complete control over the device itself, I completely pwned it and all its functionalities in one fell swoop. The VPN this organization was using wasn\u2019t just a VPN \u2014 it served as a firewall and did logging and network segmentation as well. This security system was designed to protect them, but every part of its functionality could no longer be trusted. How can an organization trust the logs if a logger itself is compromised?\n\nEndpoint security layers work the same way. Most organizations put one type of endpoint detection and response (EDR) solution or antivirus on every single one of their endpoints. If I can exploit that one solution (or just bypass it), I\u2019m g2g on every single one of the computers in their network.\n\n## How to Avoid the Security-Appliance Risk\n\nThis isn\u2019t to say that a business shouldn\u2019t use VPNs \u2014 in fact, I recommend their use. In an ideal world, no IT environment would have a single point of failure, but defenders must take preventative measures before suffering an intrusion. Ideally, your system should be complex for an attacker, while being as easy as possible for you to navigate. It means being aware of the risk and baking in the possibility of losing control of these appliances into their security protocols.\n\nVendors aren\u2019t perfect. That\u2019s been proven time and again. If you\u2019re dependent on one box, it needs to be perfect 100 percent of the time. But that rate of perfection is a logical impossibility. You need to have thousands of controls, layered on top of each other. \u201cDefense in depth\u201d cannot be achieved by one box that has all your controls. You need multiple layers, different controls for when something fails (which everything will at some point.)\n\nZero-trust principles should include your third-party security tools. Do not fall into the trap of thinking that just because it is an out-of-the-box appliance and it costs a lot of money to stand up, it is impenetrable. In security, nothing is impenetrable; not even security tools. Consider your security boxes to be just as hackable and more attractive to an attacker than other boxes. Have contingency plans in place for when your tool makes the headlines.\n\nJust remember: You don\u2019t have to be perfect. You just have to make my life as the attacker a little bit harder, consistently, over time. Even making my job just slightly more difficult can spell the difference between becoming a headline and keeping an attacker out of your system altogether\n\n_**David \u201cmoose\u201d Wolpoff is CTO at Randori.**_\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "cvss3": {}, "published": "2021-07-07T14:11:14", "type": "threatpost", "title": "Why I Love (Breaking Into) Your Security Appliances", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-2021"], "modified": "2021-07-07T14:11:14", "id": "THREATPOST:E33A690C7225E32F19E8E6C4C27B19F9", "href": "https://threatpost.com/breaking-into-security-appliances/167584/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-17T21:59:13", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a \u201chigh potential for compromise of agency information systems.\u201d\n\nIn an [Emergency Directive](<https://cyber.dhs.gov/ed/20-03/>), the Department of Homeland Security (DHS) agency ordered the \u201cFederal Civilian Executive Branch\u201d to apply a patch Microsoft released Tuesday for the vulnerability, ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), by 2:00 pm ET Friday.\n\n\u201cCISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,\u201d the agency said in the directive. \n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the directive requires that by the deadline, all of the aforementioned agencies do the following: \u201cUpdate all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role; ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed; and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\u201d\n\nWhile there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on \u201cthe likelihood of the vulnerability being exploited\u201d as well as \u201cthe widespread use of the affected software across the Federal enterprise,\u201d and \u201cthe grave impact of a successful compromise,\u201d according to the directive.\n\nThe CISA emergency directive includes:\n\n * By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\n\nThe agency recommends taking equipment offline if it can\u2019t be patched before the CISA deadline.\n\nThe vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in [July\u2019s Patch Tuesday](<https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/>), the fifth month in a row the company patched more than 100 vulnerabilities.\n\nCVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially [discovered by Sagi Tzaik](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>), a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s [Patch Tuesday analysis](<https://www.tenable.com/blog/microsoft-s-july-2020-patch-tuesday-addresses-123-cves-including-wormable-windows-dns-server>). \u201cSuccessful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d\n\nMoreover, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he said.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, the CISA also strongly recommends that all state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.\n\nThe CISA has had its hands full lately warning on the exploit likelihood and danger of critical vulnerabilities that have either been discovered or patched in widely used hardware and software.\n\nOn July 14, the CISA [warned](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); and engage in other numerous types of disruptive behavior.\n\nA week before that, the agency urged all administrators to [implement an urgent patch](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nThe CISA also [warned](<https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/>) June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, ordering agencies to patch all affected devices.\n", "cvss3": {}, "published": "2020-07-17T15:43:00", "type": "threatpost", "title": "CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2020-2021"], "modified": "2020-07-17T15:43:00", "id": "THREATPOST:363C332F7046A481C24C7172C55CF758", "href": "https://threatpost.com/cisa-emergency-directive-orders-immediate-fix-of-windows-dns-server-bug/157529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:17:34", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication.\n\nThe Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a [tweet](<https://twitter.com/CNMF_CyberAlert/status/1277674547542659074>) by the agency.\n\n\u201cForeign APTs will likely attempt exploit soon,\u201d U.S. Cyber Command tweeted. \u201cWe appreciate @PaloAltoNtwks\u2019 proactive response to this vulnerability.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nPalo Alto Networks on Monday [posted an advisory](<https://security.paloaltonetworks.com/CVE-2020-2021>) on the vulnerability, which affects the devices\u2019 operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.\n\nPalo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices.\n\nThe vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the \u201cValidate Identity Provider Certificate\u201d option is disabled (unchecked), according to researchers.\n\nThis combination allows for \u201can unauthenticated network-based attacker to access protected resources\u201d through an \u201cimproper verification of signatures in PAN-OS SAML authentication,\u201d according to Palo Alto\u2019s alert.\n\n\u201cThe attacker must have network access to the vulnerable server to exploit this vulnerability,\u201d researchers added.\n\nPalo Alto provided [details](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.>) for how users of potentially affected devices can check if their device is in the configuration that allows for exploitation of the flaw.\n\n\u201cAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions,\u201d researchers added in the advisory.\n\nCISA doesn\u2019t typically issue a warning on just any security flaw in vendors\u2019 enterprise products. However, the agency\u2019s cause for concern seems to be that the vulnerability has been rated the highest score on the CVSSv3 severity scale\u2014a 10 out of 10.\n\nThis rating means it is easy to exploit and doesn\u2019t require advanced technical skills. Attackers also don\u2019t need to infiltrate the device they target itself to exploit the flaw; they can do so remotely via the internet.\n\nUsers noted that they have been aware of the flaw for some time, so they also welcomed the fix from Palo Alto. \u201cThis was a great concern,\u201d [wrote](<https://twitter.com/Sihegee/status/1277677527943671809>) Twitter user [Sihegee USA / Social](<https://twitter.com/Sihegee>), who suggested that people using devices with Yhoo and AT&T email services might be particularly affected by the issue. \u201cAt least now we have a patch.\u201d\n\nWhen updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the \u201cIdentity Provider Certificate\u201d before upgrading, to ensure that users of the device can continue to authenticate successfully, according to Palo Alto.\n\nDetails of all actions required before and after upgrading PAN-OS are available from the company [online](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-30T13:48:47", "type": "threatpost", "title": "CISA: Nation-State Attackers Likely to Take Aim at Palo Alto Networks Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-2021", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-06-30T13:48:47", "id": "THREATPOST:14236108003AC6A3E1AB861A15ECA88F", "href": "https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-22T18:21:41", "description": "Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-25T00:00:00", "type": "cisa_kev", "title": "Palo Alto Networks PAN-OS Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021"], "modified": "2022-03-25T00:00:00", "id": "CISA-KEV-CVE-2020-2021", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-10-13T18:33:05", "description": "When Security Assertion Markup Language (SAML) authentication is enabled and the \u2018Validate Identity Provider Certificate\u2019 option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.\n\n \n**Recent assessments:** \n \n**wvu-r7** at June 29, 2020 6:32pm UTC reported:\n\nTechnical details are a little sparse in the advisory, but this reads more like a bad software configuration or design than a vulnerability \u2013 one that may be indicative of a systemic problem in SAML implementations, not unlike the issues with SSL/TLS in practice.\n\nDisabling identity provider (IdP) verification is akin to disabling SSL/TLS certificate verification, which is similarly the case here: many IdPs will generate self-signed certs, rendering verification all but impossible unless the software supports trusting individual certs. It is easier to leave a box unchecked. A box that seems to imply verifying only CA-signed certs. Palo Alto states as much in their advisory:\n\n> Many popular IdPs generate self-signed IdP certificates by default and the \u2018Validate Identity Provider Certificate\u2019 option cannot be enabled.\n\nIt would not surprise me if many organizations have this option disabled, regardless of what the default configuration may be (I haven\u2019t been able to check), since widespread documentation suggests doing so. Case in point is [Okta\u2019s documentation](<https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html>) on setting up SAML for Palo Alto products:\n\n\n\nMany other IdPs, including [Microsoft\u2019s Azure Active Directory](<https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltoadmin-tutorial>), suggest the same. This sets a dangerous precedent for other software to follow. In the worst case, this problem is already endemic in SAML implementations, regardless of the circumstances here. An audit of SAML implementations may be a worthy endeavor.\n\nYou should still patch or otherwise fix this configuration if at all possible. Palo Alto suggests using a [CA-signed cert](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP>) when available. Ideally, certificates should be trusted on a one-by-one basis, which is an unsustainable model for SSL/TLS but adequate for SAML. Of course, the software must support this, and the documentation must advise it. This was not the case here, apparently.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-29T00:00:00", "type": "attackerkb", "title": "CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021"], "modified": "2020-12-21T00:00:00", "id": "AKB:B05FF131-9188-45DC-8317-99DD9D7A6356", "href": "https://attackerkb.com/topics/WMHdn7IVZZ/cve-2020-2021-pan-os-authentication-bypass-in-saml-authentication", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-30T08:07:01", "description": "An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.\n\n \n**Recent assessments:** \n \n**WorldHack666** at September 06, 2020 2:59pm UTC reported:\n\nfghfgjj\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-08T00:00:00", "type": "attackerkb", "title": "CVE-2020-2034 \u2014 PAN-OS: OS command injection vulnerability in GlobalProtect portal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021", "CVE-2020-2034"], "modified": "2020-12-21T00:00:00", "id": "AKB:365547B1-E741-4CB5-94CD-AEB8EE1DACA3", "href": "https://attackerkb.com/topics/efcHIYIgKH/cve-2020-2034-pan-os-os-command-injection-vulnerability-in-globalprotect-portal", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-13T20:52:50", "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka \u2018Netlogon Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**VoidSec** at September 15, 2020 8:31am UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)\n\n**wvu-r7** at August 11, 2020 10:15pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)\n\n**jpcastr0** at September 16, 2020 3:29pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)\n\n**zeroSteiner** at October 09, 2020 5:00pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)\n\n**gwillcox-r7** at October 20, 2020 6:00pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)\n\n**aherndon-r7** at May 03, 2021 8:58pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-08-17T00:00:00", "type": "attackerkb", "title": "CVE-2020-1472 aka Zerologon", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2020-2021"], "modified": "2020-11-18T00:00:00", "id": "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "href": "https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2021-07-28T14:33:11", "description": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.\n\nThis issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.\n\nThis issue cannot be exploited if SAML is not used for authentication. \n\nThis issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile.\n\nResources that can be protected by SAML-based single sign-on (SSO) authentication are: \n GlobalProtect Gateway,\n GlobalProtect Portal,\n GlobalProtect Clientless VPN,\n Authentication and Captive Portal,\n PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,\n Prisma Access\n\nIn the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).\n\nIn the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).\n\nPalo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.\n\n\n**Work around:**\nUsing a different authentication method and disabling SAML authentication will completely mitigate the issue.\nUntil an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:\n\n(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.\n\n(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.\n\nUpgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-29T15:00:00", "type": "paloalto", "title": "PAN-OS: Authentication Bypass in SAML Authentication", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021"], "modified": "2020-06-29T15:00:00", "id": "PA-CVE-2020-2021", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-2021", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:10", "description": "An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled.\nThis issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.\nPrisma Access services are not impacted by this vulnerability. Firewalls that were upgraded to the latest versions of PAN-OS to resolve CVE-2020-2021 are not vulnerable to this issue.\nPalo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.\n\n\n**Work around:**\nUntil PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 58658 on traffic destined for the GlobalProtect portal will block attacks against CVE-2020-2034.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-08T16:00:00", "type": "paloalto", "title": "PAN-OS: OS command injection vulnerability in GlobalProtect portal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2034", "CVE-2020-2021"], "modified": "2020-07-08T16:00:00", "id": "PA-CVE-2020-2034", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-2034", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-20T07:48:34", "description": "# CVE-2020-2021\nCVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-29T16:56:10", "type": "githubexploit", "title": "Exploit for Improper Verification of Cryptographic Signature in Paloaltonetworks Pan-Os", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021"], "modified": "2022-07-20T07:41:00", "id": "6D825BB4-8B86-5C07-8265-B2BF353F672A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2023-01-11T15:15:19", "description": "The version of Palo Alto Networks PAN-OS running on the remote host is 8.0.x prior to 8.1.15 or 8.1.x prior to 8.1.15 or 9.0.x prior to 9.0.9 or 9.1.x prior to 9.1.3. It is, therefore, affected by a SAML authentication bypass vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-29T00:00:00", "type": "nessus", "title": "Palo Alto Networks PAN-OS 8.0.x < 8.1.15 / 8.1.x < 8.1.15 / 9.0.x < 9.0.9 / 9.1.x < 9.1.3 Authentication Bypass in SAML Authentication (CVE-2020-2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2021"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:paloaltonetworks:pan-os"], "id": "PALO_ALTO_CVE-2020-2021.NASL", "href": "https://www.tenable.com/plugins/nessus/137880", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137880);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-2021\");\n script_xref(name:\"IAVA\", value:\"2020-A-0282-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0054\");\n\n script_name(english:\"Palo Alto Networks PAN-OS 8.0.x < 8.1.15 / 8.1.x < 8.1.15 / 9.0.x < 9.0.9 / 9.1.x < 9.1.3 Authentication Bypass in SAML Authentication (CVE-2020-2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PAN-OS host is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Palo Alto Networks PAN-OS running on the remote host is 8.0.x prior to 8.1.15 or 8.1.x prior to 8.1.15 or\n9.0.x prior to 9.0.9 or 9.1.x prior to 9.1.3. It is, therefore, affected by a SAML authentication bypass vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.paloaltonetworks.com/CVE-2020-2021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/347.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PAN-OS 8.1.15 / 8.1.15 / 9.0.9 / 9.1.3 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2021\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(347);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/29\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\", \"Host/Palo_Alto/Firewall/Source\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvcf::palo_alto::initialize();\n\napp_name = 'Palo Alto Networks PAN-OS';\n\napp_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Palo_Alto/Firewall/Full_Version', kb_source:'Host/Palo_Alto/Firewall/Source');\n\n# we can't check if SAML auth is in use\n# we also can't check if the 'Validate Identity Provider Certificate' option is disabled\n# However, customers rarely run paranoid checks (~15%), so let's remove paranoid (see RES-41791)\n# if (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nconstraints = [\n { 'min_version' : '8.0.0', 'fixed_version' : '8.1.15' },\n { 'min_version' : '8.1.0', 'fixed_version' : '8.1.15' },\n { 'min_version' : '9.0.0', 'fixed_version' : '9.0.9' },\n { 'min_version' : '9.1.0', 'fixed_version' : '9.1.3' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}