US Cyber Command stated as we speak that overseas state-sponsored hacking teams are prone to exploit a serious safety bug disclosed as we speak in PAN-OS, the working system operating on firewalls and enterprise VPN home equipment from Palo Alto Networks.

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” US Cyber Command stated in a tweet as we speak.

“Foreign APTs will likely attempt [to] exploit soon,” the company added, referring to APT (superior persistent menace), a time period utilized by the cyber-security trade to explain nation-state hacker teams.

CVE-2020-2021 – a uncommon 10/10 vulnerability

US Cyber Command officers are proper to be panicked. The CVE-2020-2021 vulnerability is a type of uncommon safety bugs that obtained a ten out of 10 rating on the CVSSv3 severity scale.

A ten/10 CVSSv3 rating means the vulnerability is each simple to use because it would not require superior technical expertise, and it is remotely exploitable through the web, with out requiring attackers to achieve an preliminary foothold on the attacked system.

In technical phrases, the vulnerability is an authentication bypass that enables menace actors to entry the system while not having to offer legitimate credentials.

Once exploited, the bug permits hackers to vary PAN-OS settings and options. While altering OS options appears innocuous, and of little consequence, the bug is definitely fairly a serious subject as a result of it could possibly be used to disable firewalls or VPN access-control insurance policies, successfully disabling your complete PAN-OS gadgets.

PAN-OS gadgets have to be in a sure configuration

In a safety advisory printed as we speak, Palo Alto Networks (PAN) stated that mitigating elements embody the truth that PAN-OS gadgets have to be in a sure configuration for the bug to be exploitable.

PAN engineers stated the bug is simply exploitable if the ‘Validate Identity Provider Certificate’ possibility is disabled and if SAML (Security Assertion Markup Language) is enabled.


Image: Palo Alto Networks

Devices that assist these two choices — and are susceptible to assaults — embody techniques like:

  • GlobalProtect Gateway
  • GlobalProtect Portal
  • GlobalProtect Clientless VPN
  • Authentication and Captive Portal
  • PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama internet interfaces
  • Prisma Access techniques

These two settings aren’t within the susceptible positions by default and require guide person intervention to be set in that particular configuration — which means that not all PAN-OS gadgets are susceptible to assaults by default.

Some gadgets have been configured to be susceptible

However, in response to Will Dormann, vulnerability analyst for CERT/CC, a number of vendor manuals instruct PAN-OS house owners to arrange this actual specific configuration when utilizing third-party identification suppliers — reminiscent of utilizing Duo authentication on PAN-OS gadgets, or third-party authentication options from Centrify, Trusona, or Okta.

This signifies that whereas the vulnerability seems to be innocent at a primary look because of the advanced configuration wanted to be exploitable, there are seemingly fairly just a few gadgets configured on this susceptible state, particularly because of the widespread use of Duo authentication within the enterprise and authorities sector.

As a consequence, house owners of PAN-OS gadgets are suggested to instantly assessment system configurations and apply the newest patches supplied by Palo Alto Networks if their gadgets are operating in a susceptible state.

The listing of susceptible PAN-OS releases the place CVE-2020-2021 is understood to work are listed under.


Following Palo Alto’s vulnerability disclosure as we speak, a number of revered figures within the cyber-security neighborhood have echoed the US Cyber Command warning and have additionally urged system directors to patch PAN-OS gadgets as quickly as doable, additionally anticipating assaults from nation-state menace actors to comply with in a matter of days.

Palo Alto Networks didn’t return an e mail in search of touch upon the US Cyber Command’s warning.