UPDATED 22:23 EDT / JULY 01 2020

SECURITY

Palo Alto Networks device users urged to install patch for critical vulnerability

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging users of Palo Alto Networks Inc. network devices to apply a patch following the discovery of a critical vulnerability that could be exploited by foreign threat groups.

The vulnerability affects PAN-OS, the operating system that runs on Palo Alto’s next-generation firewalls and enterprise virtual private network appliances. CVE-2020-2021, as it’s formally named, is an authentication bypass vulnerability that could allow remote attackers to gain access and control of targeted devices. Once access is gained, an attacker would be able to change settings, change access control policies and execute arbitrary code opening the door to a full compromise of a targeted network or system.

Palo Alto Monday issued a security advisory including a patch for the vulnerability and workarounds to prevent the attacks as well. The vulnerability notably applies only to devices when Security Assertion Markup Language authentication is enabled and the Validate Identity Provider Certificate option is disabled. If SAML is disabled or VIPC enabled, the vulnerability cannot be exploited.

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15 and all versions of PAN-OS 8.0.

“This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification and using SAML to interface with back-end authorization services,” Bryan Skene, chief technology officer at secure networking company Tempered Networks Inc., told SiliconANGLE today. “Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely. Complexity in system configuration, certificate management, or protocol implementation all provide avenues for exploitation.”

Warren Poschman, senior solutions architect with data security firm comforte AG, noted that the vulnerability underscores the need to have robust security at all layers, including the data level.

“As these vulnerabilities are addressed, the risk that others will be found is an almost inevitability – it’s not if attackers will find ways in but when,” Poschman said. “Organizations need to protect not only the perimeter but also the data that these attackers are actually after.”

Photo: Johannes Weber/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU