Windows 10 News and info | Forum
September 21, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: US Cyber Command says hackers will likely exploit new PAN-OS security bug  (Read 97 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 31803


I Do Windows


WWW Email
« on: June 30, 2020, 07:00:38 PM »
ReplyReply

US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks.

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," US Cyber Command said in a tweet today.

"Foreign APTs will likely attempt [to] exploit soon," the agency added, referring to APT (advanced persistent threat), a term used by the cyber-security industry to describe nation-state hacker groups.

CVE-2020-2021 - A RARE 10/10 VULNERABILITY

US Cyber Command officials are right to be panicked. The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 score on the CVSSv3 severity scale.

A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn't require advanced technical skills, and it's remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device.

In technical terms, vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials.

Once exploited, the bug allows hackers to change PAN-OS settings and features. While changing OS features seems innocuous, and of little consequence, the bug is actually quite a major issue because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices.

In a security advisory published today, Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable.

PAN engineers said the bug is only exploitable if the 'Validate Identity Provider Certificate' option is disabled and if SAML (Security Assertion Markup Language) is enabled.



Devices that support these two options -- and are vulnerable to attacks -- include systems like:

GlobalProtect Gateway

GlobalProtect Portal

GlobalProtect Clientless VPN

Authentication and Captive Portal

PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces

Prisma Access systems

These two settings are not in the vulnerable positions by default and require manual user intervention to be set in that specific configuration -- meaning that not all PAN-OS devices are vulnerable to attacks by default.

SOME DEVICES HAVE BEEN CONFIGURED TO BE VULNERABLE

However, according to Will Dormann, vulnerability analyst for CERT/CC, several vendor manuals instruct PAN-OS owners to set up this exact particular configuration when using third-party identity providers -- such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta.

This means that while the vulnerability looks harmless at a first glance due to the complex configuration needed to be exploitable, there are likely quite a few devices configured in this vulnerable state, especially due to the widespread use of Duo authentication in the enterprise and government sector.

At the time of writing, the number of vulnerable systems is estimated to be at most 4,200, according to Troy Mursch, co-founder of internet scanning and threat intel firm Bad Packets.

"Of the 58,521 publicly accessible Palo Alto (PAN-OS) servers scanned by Bad Packets, 4,291 hosts were found using some type of SAML authentication," Mursch told ZDNet today.

However, Mursch says that his company's scans can only tell if SAML authentication is enabled, but not if the second condition (Validate Identity Provider Certificate' option disabled) is also met.

Owners of PAN-OS devices are advised to immediately review device configurations and apply the latest patches provided by Palo Alto Networks if their devices are running in a vulnerable state.

The list of vulnerable PAN-OS releases where CVE-2020-2021 is known to work is listed below.



Following Palo Alto's vulnerability disclosure today, several respected figures in the cyber-security community have echoed the US Cyber Command warning and have also urged system administrators to patch PAN-OS devices as soon as possible, also anticipating attacks from nation-state threat actors to follow in a matter of days.









Palo Alto Networks did not return an email seeking comment on the US Cyber Command's warning.

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 18, 2020, 12:43:47 AM