ID CVE-2020-2021 Type cve Reporter cve@mitre.org Modified 2020-07-06T14:39:00
Description
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
{"id": "CVE-2020-2021", "bulletinFamily": "NVD", "title": "CVE-2020-2021", "description": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.", "published": "2020-06-29T15:15:00", "modified": "2020-07-06T14:39:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2021", "reporter": "cve@mitre.org", "references": ["https://security.paloaltonetworks.com/CVE-2020-2021"], "cvelist": ["CVE-2020-2021"], "type": "cve", "lastseen": "2020-07-07T11:01:48", "history": [{"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2020-2021"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-06-30T12:24:28", "references": [{"idList": ["PA-CVE-2020-2021"], "type": "paloalto"}, {"idList": ["PALO_ALTO_CVE-2020-2021.NASL"], "type": "nessus"}, {"idList": ["THREATPOST:14236108003AC6A3E1AB861A15ECA88F"], "type": "threatpost"}], "rev": 2}, "score": {"modified": "2020-06-30T12:24:28", "rev": 2, "value": 3.9, "vector": "NONE"}}, "hash": "17807d69993877406bd74500a4bfc2a120cb60bd24e892c788dae4c281c36a0c", "hashmap": [{"hash": "e4d4f25bd4e3908ee6594feff9c8ae41", "key": "title"}, {"hash": "c120b4eebe86b330d2967172b1ae6b2f", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2ec0624465a3159c519c06789a07e715", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "450e47e3c29eb00e6f5b730a467a06d8", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "2f00198a18dce5a58f57257f6ce69c6c", "key": "description"}, {"hash": "5451b361a07d8a9e0147397954892eb4", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "427e792877ea7db04343ea4cc812e888", "key": "published"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2021", "id": "CVE-2020-2021", "lastseen": "2020-06-30T12:24:28", "modified": "2020-06-29T16:15:00", "objectVersion": "1.3", "published": "2020-06-29T15:15:00", "references": ["https://security.paloaltonetworks.com/CVE-2020-2021"], "reporter": "cve@mitre.org", "title": "CVE-2020-2021", "type": "cve", "viewCount": 40}, "differentElements": ["cvss", "cvss2", "modified", "cpe", "cwe", "affectedSoftware"], "edition": 1, "lastseen": "2020-06-30T12:24:28"}], "edition": 2, "hashmap": [{"key": "affectedSoftware", "hash": "aeecabcc3825d065c64c18783fd71237"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a7cb3eba1e2fb2003407c86a61415e80"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "5451b361a07d8a9e0147397954892eb4"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "9acfcf14cfd828b910139bef8de6f4f5"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "543514279a3ba505ea72da3b71a00e8d"}, {"key": "description", "hash": "2f00198a18dce5a58f57257f6ce69c6c"}, {"key": "href", "hash": "450e47e3c29eb00e6f5b730a467a06d8"}, {"key": "modified", "hash": "72f0b7d1608eda3ed92d9d69386309ad"}, {"key": "published", "hash": "427e792877ea7db04343ea4cc812e888"}, {"key": "references", "hash": "c120b4eebe86b330d2967172b1ae6b2f"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "e4d4f25bd4e3908ee6594feff9c8ae41"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "711a0bb970881f9040ef1334d2fd3bf174bcb9e14ee64891a9dba8d9b2c58e60", "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["PALO_ALTO_CVE-2020-2021.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:14236108003AC6A3E1AB861A15ECA88F"]}, {"type": "paloalto", "idList": ["PA-CVE-2020-2034", "PA-CVE-2020-2021"]}], "modified": "2020-07-07T11:01:48", "rev": 2}, "score": {"value": 3.9, "vector": "NONE", "modified": "2020-07-07T11:01:48", "rev": 2}, "vulnersScore": 3.9}, "objectVersion": "1.3", "cpe": ["cpe:/a:paloaltonetworks:pan-os:8.1.5", "cpe:/a:paloaltonetworks:pan-os:8.0.19", "cpe:/a:paloaltonetworks:pan-os:8.1.9", "cpe:/a:paloaltonetworks:pan-os:8.1.2", "cpe:/a:paloaltonetworks:pan-os:9.0.1", "cpe:/a:paloaltonetworks:pan-os:8.1.4", "cpe:/a:paloaltonetworks:pan-os:9.0.5", "cpe:/a:paloaltonetworks:pan-os:8.0.11", "cpe:/a:paloaltonetworks:pan-os:9.1.1", "cpe:/a:paloaltonetworks:pan-os:8.0.9", "cpe:/a:paloaltonetworks:pan-os:8.0.16", "cpe:/a:paloaltonetworks:pan-os:8.1.8", "cpe:/a:paloaltonetworks:pan-os:8.0.0", "cpe:/a:paloaltonetworks:pan-os:8.1.1", "cpe:/a:paloaltonetworks:pan-os:8.0.4", "cpe:/a:paloaltonetworks:pan-os:8.0.3", "cpe:/a:paloaltonetworks:pan-os:8.1.0", "cpe:/a:paloaltonetworks:pan-os:9.0.3", "cpe:/a:paloaltonetworks:pan-os:8.0.10", "cpe:/a:paloaltonetworks:pan-os:9.0.4", "cpe:/a:paloaltonetworks:pan-os:9.1.0", "cpe:/a:paloaltonetworks:pan-os:8.0.12", "cpe:/a:paloaltonetworks:pan-os:8.0.18", "cpe:/a:paloaltonetworks:pan-os:8.0.14", "cpe:/a:paloaltonetworks:pan-os:9.0.2", "cpe:/a:paloaltonetworks:pan-os:8.1.12", "cpe:/a:paloaltonetworks:pan-os:8.0.20", "cpe:/a:paloaltonetworks:pan-os:9.0.6", "cpe:/a:paloaltonetworks:pan-os:8.1.13", "cpe:/a:paloaltonetworks:pan-os:8.1.11", "cpe:/a:paloaltonetworks:pan-os:8.1.6", "cpe:/a:paloaltonetworks:pan-os:8.0.15", "cpe:/a:paloaltonetworks:pan-os:8.0.1", "cpe:/a:paloaltonetworks:pan-os:8.1.14", "cpe:/a:paloaltonetworks:pan-os:8.0.6", "cpe:/a:paloaltonetworks:pan-os:8.0.17", "cpe:/a:paloaltonetworks:pan-os:9.0.8", "cpe:/a:paloaltonetworks:pan-os:8.0.13", "cpe:/a:paloaltonetworks:pan-os:8.1.3", "cpe:/a:paloaltonetworks:pan-os:8.0.8", "cpe:/a:paloaltonetworks:pan-os:8.1.7", "cpe:/a:paloaltonetworks:pan-os:8.0.5", "cpe:/a:paloaltonetworks:pan-os:9.0.0", "cpe:/a:paloaltonetworks:pan-os:9.0.7", "cpe:/a:paloaltonetworks:pan-os:8.0.7", "cpe:/a:paloaltonetworks:pan-os:9.1.2", "cpe:/a:paloaltonetworks:pan-os:8.0.2"], "affectedSoftware": [{"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.13"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.1"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.12"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.0"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.14"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.8"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.2"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.9"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.8"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.12"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.3"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.18"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.3"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.4"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.2"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.7"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.17"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.7"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.14"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.0"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.3"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.1.1"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.8"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.0"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.5"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.5"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.13"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.1"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.1"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.15"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.6"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.4"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.6"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.5"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.4"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.11"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.16"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.2"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.10"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.9"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.7"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.0.6"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.19"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.1.11"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.1.2"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "8.0.20"}, {"name": "paloaltonetworks pan-os", "operator": "eq", "version": "9.1.0"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": [], "cwe": ["CWE-347"], "scheme": null}
{"nessus": [{"lastseen": "2020-08-01T04:21:56", "bulletinFamily": "scanner", "description": "The version of Palo Alto Networks PAN-OS running on the remote host is 8.0.x prior to 8.1.15 or 8.1.x prior to 8.1.15 or\n9.0.x prior to 9.0.9 or 9.1.x prior to 9.1.3. It is, therefore, affected by a SAML authentication bypass vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application", "modified": "2020-06-29T00:00:00", "id": "PALO_ALTO_CVE-2020-2021.NASL", "href": "https://www.tenable.com/plugins/nessus/137880", "published": "2020-06-29T00:00:00", "title": "Palo Alto Networks PAN-OS 8.0.x < 8.1.15 / 8.1.x < 8.1.15 / 9.0.x < 9.0.9 / 9.1.x < 9.1.3 Authentication Bypass in SAML Authentication (CVE-2020-2021)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137880);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/31\");\n\n script_cve_id(\"CVE-2020-2021\");\n script_xref(name:\"IAVA\", value:\"2020-A-0282\");\n\n script_name(english:\"Palo Alto Networks PAN-OS 8.0.x < 8.1.15 / 8.1.x < 8.1.15 / 9.0.x < 9.0.9 / 9.1.x < 9.1.3 Authentication Bypass in SAML Authentication (CVE-2020-2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PAN-OS host is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Palo Alto Networks PAN-OS running on the remote host is 8.0.x prior to 8.1.15 or 8.1.x prior to 8.1.15 or\n9.0.x prior to 9.0.9 or 9.1.x prior to 9.1.3. It is, therefore, affected by a SAML authentication bypass vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.paloaltonetworks.com/CVE-2020-2021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/347.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PAN-OS 8.1.15 / 8.1.15 / 9.0.9 / 9.1.3 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2021\");\n script_cwe_id(347);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/29\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\", \"Host/Palo_Alto/Firewall/Source\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvcf::palo_alto::initialize();\n\napp_name = 'Palo Alto Networks PAN-OS';\n\napp_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Palo_Alto/Firewall/Full_Version', kb_source:'Host/Palo_Alto/Firewall/Source');\n\n# we can't check if SAML auth is in use\n# we also can't check if the 'Validate Identity Provider Certificate' option is disabled\n# However, customers rarely run paranoid checks (~15%), so let's remove paranoid (see RES-41791)\n# if (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nconstraints = [\n { 'min_version' : '8.0.0', 'fixed_version' : '8.1.15' },\n { 'min_version' : '8.1.0', 'fixed_version' : '8.1.15' },\n { 'min_version' : '9.0.0', 'fixed_version' : '9.0.9' },\n { 'min_version' : '9.1.0', 'fixed_version' : '9.1.3' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2020-07-07T11:24:39", "bulletinFamily": "software", "description": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.\n\nThis issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.\n\nThis issue cannot be exploited if SAML is not used for authentication. \n\nThis issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile.\n\nResources that can be protected by SAML-based single sign-on (SSO) authentication are: \n GlobalProtect Gateway,\n GlobalProtect Portal,\n GlobalProtect Clientless VPN,\n Authentication and Captive Portal,\n PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,\n Prisma Access\n\nIn the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).\n\nIn the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).\n\nPalo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.\n\n\n**Work around:**\nUsing a different authentication method and disabling SAML authentication will completely mitigate the issue.\nUntil an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:\n\n(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.\n\n(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.\n\nUpgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.\n", "modified": "2020-06-29T15:00:00", "published": "2020-06-29T15:00:00", "id": "PA-CVE-2020-2021", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-2021", "title": "PAN-OS: Authentication Bypass in SAML Authentication", "type": "paloalto", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-10T11:24:57", "bulletinFamily": "software", "description": "An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled.\nThis issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.\nPrisma Access services are not impacted by this vulnerability. Firewalls that were upgraded to the latest versions of PAN-OS to resolve CVE-2020-2021 are not vulnerable to this issue.\nPalo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.\n\n\n**Work around:**\nUntil PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 58658 on traffic destined for the GlobalProtect portal will block attacks against CVE-2020-2034.", "modified": "2020-07-08T16:00:00", "published": "2020-07-08T16:00:00", "id": "PA-CVE-2020-2034", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-2034", "title": "PAN-OS: OS command injection vulnerability in GlobalProtect portal", "type": "paloalto", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-07-07T21:43:41", "bulletinFamily": "info", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication.\n\nThe Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a [tweet](<https://twitter.com/CNMF_CyberAlert/status/1277674547542659074>) by the agency.\n\n\u201cForeign APTs will likely attempt exploit soon,\u201d U.S. Cyber Command tweeted. \u201cWe appreciate @PaloAltoNtwks\u2019 proactive response to this vulnerability.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nPalo Alto Networks on Monday [posted an advisory](<https://security.paloaltonetworks.com/CVE-2020-2021>) on the vulnerability, which affects the devices\u2019 operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.\n\nPalo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices.\n\nThe vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the \u201cValidate Identity Provider Certificate\u201d option is disabled (unchecked), according to researchers.\n\nThis combination allows for \u201can unauthenticated network-based attacker to access protected resources\u201d through an \u201cimproper verification of signatures in PAN-OS SAML authentication,\u201d according to Palo Alto\u2019s alert.\n\n\u201cThe attacker must have network access to the vulnerable server to exploit this vulnerability,\u201d researchers added.\n\nPalo Alto provided [details](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.>) for how users of potentially affected devices can check if their device is in the configuration that allows for exploitation of the flaw.\n\n\u201cAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions,\u201d researchers added in the advisory.\n\nCISA doesn\u2019t typically issue a warning on just any security flaw in vendors\u2019 enterprise products. However, the agency\u2019s cause for concern seems to be that the vulnerability has been rated the highest score on the CVSSv3 severity scale\u2014a 10 out of 10.\n\nThis rating means it is easy to exploit and doesn\u2019t require advanced technical skills. Attackers also don\u2019t need to infiltrate the device they target itself to exploit the flaw; they can do so remotely via the internet.\n\nUsers noted that they have been aware of the flaw for some time, so they also welcomed the fix from Palo Alto. \u201cThis was a great concern,\u201d [wrote](<https://twitter.com/Sihegee/status/1277677527943671809>) Twitter user [Sihegee USA / Social](<https://twitter.com/Sihegee>), who suggested that people using devices with Yhoo and AT&T email services might be particularly affected by the issue. \u201cAt least now we have a patch.\u201d\n\nWhen updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the \u201cIdentity Provider Certificate\u201d before upgrading, to ensure that users of the device can continue to authenticate successfully, according to Palo Alto.\n\nDetails of all actions required before and after upgrading PAN-OS are available from the company [online](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-06-30T13:48:47", "published": "2020-06-30T13:48:47", "id": "THREATPOST:14236108003AC6A3E1AB861A15ECA88F", "href": "https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/", "type": "threatpost", "title": "CISA: Nation-State Attackers Likely to Take Aim at Palo Alto Networks Bug", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-17T21:59:13", "bulletinFamily": "info", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a \u201chigh potential for compromise of agency information systems.\u201d\n\nIn an [Emergency Directive](<https://cyber.dhs.gov/ed/20-03/>), the Department of Homeland Security (DHS) agency ordered the \u201cFederal Civilian Executive Branch\u201d to apply a patch Microsoft released Tuesday for the vulnerability, ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), by 2:00 pm ET Friday.\n\n\u201cCISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,\u201d the agency said in the directive. \n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the directive requires that by the deadline, all of the aforementioned agencies do the following: \u201cUpdate all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role; ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed; and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\u201d\n\nWhile there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on \u201cthe likelihood of the vulnerability being exploited\u201d as well as \u201cthe widespread use of the affected software across the Federal enterprise,\u201d and \u201cthe grave impact of a successful compromise,\u201d according to the directive.\n\nThe CISA emergency directive includes:\n\n * By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\n\nThe agency recommends taking equipment offline if it can\u2019t be patched before the CISA deadline.\n\nThe vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in [July\u2019s Patch Tuesday](<https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/>), the fifth month in a row the company patched more than 100 vulnerabilities.\n\nCVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially [discovered by Sagi Tzaik](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>), a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s [Patch Tuesday analysis](<https://www.tenable.com/blog/microsoft-s-july-2020-patch-tuesday-addresses-123-cves-including-wormable-windows-dns-server>). \u201cSuccessful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d\n\nMoreover, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he said.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, the CISA also strongly recommends that all state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.\n\nThe CISA has had its hands full lately warning on the exploit likelihood and danger of critical vulnerabilities that have either been discovered or patched in widely used hardware and software.\n\nOn July 14, the CISA [warned](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); and engage in other numerous types of disruptive behavior.\n\nA week before that, the agency urged all administrators to [implement an urgent patch](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nThe CISA also [warned](<https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/>) June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, ordering agencies to patch all affected devices.\n", "modified": "2020-07-17T15:43:00", "published": "2020-07-17T15:43:00", "id": "THREATPOST:363C332F7046A481C24C7172C55CF758", "href": "https://threatpost.com/cisa-emergency-directive-orders-immediate-fix-of-windows-dns-server-bug/157529/", "type": "threatpost", "title": "CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
