UPDATED 22:23 EDT / JULY 01 2020

37837942786_80aa5548c8_c SECURITY

Palo Alto Networks device users urged to install patch for critical vulnerability

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging users of Palo Alto Networks Inc. network devices to apply a patch following the discovery of a critical vulnerability that could be exploited by foreign threat groups.

The vulnerability affects PAN-OS, the operating system that runs on Palo Alto’s next-generation firewalls and enterprise virtual private network appliances. CVE-2020-2021, as it’s formally named, is an authentication bypass vulnerability that could allow remote attackers to gain access and control of targeted devices. Once access is gained, an attacker would be able to change settings, change access control policies and execute arbitrary code opening the door to a full compromise of a targeted network or system.

Palo Alto Monday issued a security advisory including a patch for the vulnerability and workarounds to prevent the attacks as well. The vulnerability notably applies only to devices when Security Assertion Markup Language authentication is enabled and the Validate Identity Provider Certificate option is disabled. If SAML is disabled or VIPC enabled, the vulnerability cannot be exploited.

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15 and all versions of PAN-OS 8.0.

“This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification and using SAML to interface with back-end authorization services,” Bryan Skene, chief technology officer at secure networking company Tempered Networks Inc., told SiliconANGLE today. “Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely. Complexity in system configuration, certificate management, or protocol implementation all provide avenues for exploitation.”

Warren Poschman, senior solutions architect with data security firm comforte AG, noted that the vulnerability underscores the need to have robust security at all layers, including the data level.

“As these vulnerabilities are addressed, the risk that others will be found is an almost inevitability – it’s not if attackers will find ways in but when,” Poschman said. “Organizations need to protect not only the perimeter but also the data that these attackers are actually after.”

Photo: Johannes Weber/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.