PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification

An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication.

Impacted features that use SSL VPN with client certificate verification are:
GlobalProtect Gateway,
GlobalProtect Portal,
GlobalProtect Clientless VPN,
GlobalProtect Large Scale VPN

In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue.

Work around:
Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59884 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2050.

This issue can be mitigated by configuring GlobalProtect to require users to authenticate with their credentials. Other authentication methods are not impacted by this issue.