CISA: Nation-State Attackers Likely to Take Aim at Palo Alto Networks Bug


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication. The Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a [tweet](<https://twitter.com/CNMF_CyberAlert/status/1277674547542659074>) by the agency. “Foreign APTs will likely attempt exploit soon,” U.S. Cyber Command tweeted. “We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.” [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) Palo Alto Networks on Monday [posted an advisory](<https://security.paloaltonetworks.com/CVE-2020-2021>) on the vulnerability, which affects the devices’ operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected. Palo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices. The vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the “Validate Identity Provider Certificate” option is disabled (unchecked), according to researchers. This combination allows for “an unauthenticated network-based attacker to access protected resources” through an “improper verification of signatures in PAN-OS SAML authentication,” according to Palo Alto’s alert. “The attacker must have network access to the vulnerable server to exploit this vulnerability,” researchers added. Palo Alto provided [details](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.>) for how users of potentially affected devices can check if their device is in the configuration that allows for exploitation of the flaw. “Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions,” researchers added in the advisory. CISA doesn’t typically issue a warning on just any security flaw in vendors’ enterprise products. However, the agency’s cause for concern seems to be that the vulnerability has been rated the highest score on the CVSSv3 severity scale—a 10 out of 10. This rating means it is easy to exploit and doesn’t require advanced technical skills. Attackers also don’t need to infiltrate the device they target itself to exploit the flaw; they can do so remotely via the internet. Users noted that they have been aware of the flaw for some time, so they also welcomed the fix from Palo Alto. “This was a great concern,” [wrote](<https://twitter.com/Sihegee/status/1277677527943671809>) Twitter user [Sihegee USA / Social](<https://twitter.com/Sihegee>), who suggested that people using devices with Yhoo and AT&T email services might be particularly affected by the issue. “At least now we have a patch.” When updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the “Identity Provider Certificate” before upgrading, to ensure that users of the device can continue to authenticate successfully, according to Palo Alto. Details of all actions required before and after upgrading PAN-OS are available from the company [online](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK>). **_BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**