Palo Alto just released a security advisory warning that there is a severe vulnerability in SAML implementations. The premise is that if you are actively using SAML to authenticate users, and you have 'Validate Identity Provider Certificate' disabled, an attacker could bypass authentication
The vulnerability applies to any of the available authentication interfaces; GlobalProtect (portal, gateway, clientless), Captive Portal and the management interface. The attacker would be able to gain the same access as a legitimately logged in user, so they would be able to reach the same resources as a VPN user would be able to get, or gain full admin access over the firewall if they are able to reach a management interface.
This issue affects ALL PAN-OS version prior to 9.1.3, 9.0.9 and 8.1.15 so upgrade as soon as you possibly can, or enable 'Validate Identity Provider Certificate' if possible, or disable SAML altogether if the former options are not possible
Additionally, always make sure to limit administrative access to only a few resources, and make sure vpn users have tailored security rules that allow access to the needed resources only
Stay frosty!
reaper out
the original post can be found here : https://security.paloaltonetworks.com/CVE-2020-2021
I was wondering why they suddenly changed the recommendation status on all new PAN-OS without any fanfare or notifications... This was it ;)
Thanks Reaper, got the lowdown this afternoon. Already updated our production and now sending out to all our customers!