Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2020-2021
PUBLISHED
Known KEV
More InfoOfficial Page
Assigner-palo_alto
Assigner Org ID-d6c1279f-00f6-4ef7-9217-f89ffe703ec0
View Known Exploited Vulnerability (KEV) details
Published At-29 Jun, 2020 | 15:10
Updated At-30 Jul, 2025 | 01:45
Rejected At-
▼CVE Numbering Authority (CNA)
PAN-OS: Authentication Bypass in SAML Authentication

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Affected Products
Vendor
Palo Alto Networks, Inc.Palo Alto Networks
Product
PAN-OS
Versions
Affected
  • 8.0.*
  • From 8.1 before 8.1.15 (custom)
    • -> unaffectedfrom8.1.15
  • From 9.0 before 9.0.9 (custom)
    • -> unaffectedfrom9.0.9
  • From 9.1 before 9.1.3 (custom)
    • -> unaffectedfrom9.1.3
Unaffected
  • 7.1.*
Problem Types
TypeCWE IDDescription
CWECWE-347CWE-347 Improper Verification of Cryptographic Signature
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions. Important: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication Details of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. To eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy Restarting firewalls and Panorama eliminates any unauthorized sessions on the web interface. To clear any unauthorized user sessions in Captive Portal take the following steps: Run the following command show user ip-user-mapping all type SSO For all the IPs returned, run these two commands to clear the users: clear user-cache-mp <above ips> clear user-cache <above ips> PAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies. All Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations.

Configurations

This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Detailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. To check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider. To check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider To check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider. Any unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions.

Workarounds

Using a different authentication method and disabling SAML authentication will completely mitigate the issue. Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability: (a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. (b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP. Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.

Exploits

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Credits
Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue.
Timeline
EventDate
Initial publication2020-06-29 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.paloaltonetworks.com/CVE-2020-2021
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.paloaltonetworks.com/CVE-2020-2021
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
kev
dateAdded:
2022-03-25
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2021
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2020-2021 added to CISA KEV2022-03-25 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found