Security

Mitigation Instructions for CVE-2021-40438

Written by CyRisk Vulnerability Management Team | Feb 26, 2024 3:42:08 PM

SUBJECT: CVE-2020-2021: Improper Verification of Signatures in PAN-OS SAML Authentication

TECH STACK: PAN-OS_SAML (Security Assertion Markup Language)_Identity Provider (IdP)_Protected Resources

DATE(S) ISSUED: 06/29/2020

NVD Last Modified: 07/06/2020

CRITICALITY: CRITICAL 

OVERVIEW: 

CVE-2020-2021 is a critical severity vulnerability affecting Palo Alto Networks' PAN-OS operating system. This vulnerability occurs when Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled. In such cases, improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to gain access to protected resources.

To exploit this vulnerability, the attacker must have network access to the vulnerable server. The impacted versions include PAN-OS 9.1 versions earlier than PAN-OS 9.1.3, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (end-of-life).

Depending on the specific component being targeted, the impact varies. For GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, the attacker can gain access to protected resources based on configured authentication and security policies. In the case of PAN-OS and Panorama web interfaces, the attacker can log in as an administrator and perform administrative actions.

SOLUTION:

To mitigate the CVE-2020-2021 vulnerability, follow these instructions:

  1. Update PAN-OS: Upgrade your PAN-OS operating system to a patched version provided by Palo Alto Networks. Ensure that you are running PAN-OS 9.1.3 or later, PAN-OS 9.0.9 or later, or PAN-OS 8.1.15 or later. These patched versions contain the necessary security fixes to address the vulnerability.

  2. Enable 'Validate Identity Provider Certificate': In the SAML Identity Provider Server Profile, ensure that the 'Validate Identity Provider Certificate' option is enabled (checked). Enabling this option ensures proper verification of signatures in SAML authentication and helps prevent unauthorized access to protected resources.

  3. Restrict Network Access: Limit network access to the vulnerable server by implementing proper network segmentation and access controls. By restricting access to only authorized users or specific management networks, you can reduce the risk of potential exploitation.

  4. Monitor for Suspicious Activity: Implement intrusion detection and prevention systems (IDPS) or security monitoring tools to detect any suspicious activity related to SAML authentication. Monitor logs and network traffic for any signs of unauthorized access attempts or unusual behavior.

  5. Follow Security Best Practices: Follow industry best practices for secure configuration and deployment of PAN-OS. This includes regularly reviewing and applying security updates, using strong authentication mechanisms, and employing least privilege principles for user access.

REFERENCES:

 Palo Alto Networks. "CVE-2020-2021." [Online]. Available: https://security.paloaltonetworks.com/CVE-2020-2021