CVE-2020-2021
Published: 29 June 2020
Summary
CVE-2020-2021 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2020-2021 is an improper signature verification flaw in PAN-OS SAML authentication that occurs when the "Validate Identity Provider Certificate" option is disabled. It affects PAN-OS 9.1 releases prior to 9.1.3, 9.0 releases prior to 9.0.9, 8.1 releases prior to 8.1.15, and all 8.0 versions; PAN-OS 7.1 is unaffected. The vulnerability impacts any deployment that uses SAML for authentication to GlobalProtect Gateway, GlobalProtect Portal, Clientless VPN, Captive Portal, PAN-OS or Panorama web interfaces, or Prisma Access.
An unauthenticated network attacker who can reach the affected service can exploit the missing certificate validation to bypass SAML authentication. On GlobalProtect, Captive Portal, and Prisma Access components the attacker obtains access to protected resources consistent with configured policies, while on the PAN-OS or Panorama web interfaces the attacker can authenticate as an administrator and execute arbitrary management actions. The issue is rated CVSS 10.0 when the management interfaces are reachable from the internet.
Palo Alto Networks advisory guidance states that the vulnerability is eliminated by upgrading to the fixed PAN-OS releases listed above or by enabling the "Validate Identity Provider Certificate" setting in the SAML Identity Provider Server Profile; the vendor reports no observed in-the-wild exploitation at the time of disclosure. The flaw is tracked by CISA in its Known Exploited Vulnerabilities catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-22049
Vulnerability details
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have…
more
network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper configuration and validation of assertions from SAML identity providers, eliminating the exact bypass that occurs when IdP certificate validation is disabled.
Mandates protection of session authenticity via cryptographic verification of SAML assertions, directly countering the missing signature/certificate check.
Enforces access decisions only after successful, validated authentication, blocking the unauthorized resource or admin access granted by the SAML flaw.