Palo Alto PAN-OS: Authentication Bypass in SAML Authentication Discovered

A critical severity authentication bypass vulnerability in certain configurations of Palo Alto Networks PAN-OS devices using Security Assertion Markup Language (SAML) authentication has been discovered.

On June 29, 2020, Palo Alto issued a security advisory for PAN-OS versions with SAML authentication enabled and the ‘Validate Identity Provider Certificate’ option disabled (unchecked). Improper verification of signatures in PAN-OS SAML authentication could allow an unauthenticated network-based attacker to access protected resources.

Mark Bell, EVP of operations at Digital Defense, Inc., a provider of vulnerability and threat management solutions had this comment:

The fact that these devices are generally externally facing and the simplicity of exploiting the Palo Alto PAN-OS vulnerability significantly increases the threat exposure. Bad actors are probably already scanning the internet looking for vulnerable instances.

Here’s some specific details about this issue. Affected versions of PAN-OS are:

  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
  • PAN-OS 9.0 versions earlier than PAN-OS 9.09
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • All versions of PAN-OS 8.0 (EOL)

This issue does not affect PAN-OS 7.1

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the ‘Validate Identity Provider Certificate’ option is enabled (checked) in the SAML Identity Provider Server Profile.

Palo Alto Networks provided a patch for this vulnerability and indicated they are not aware of any malicious attempts to exploit this vulnerability at this time.

The Digital Defense Vulnerability Research Team is developing checks for the condition for its Frontline.Cloud vulnerability management solution as more information is made available.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: