cbcvebase.
CVE-2020-2021
published 2020-06-29

CVE-2020-2021: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked)…

PriorityP197critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
4.36%
90.0th percentile
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a

Affected

10 ranges
VendorProductVersion rangeFixed in
googlechrome_chrome
palo_alto_networkspan-os
palo_alto_networkspan-os>= 8.1 < 8.1.158.1.15
palo_alto_networkspan-os>= 9.0 < 9.0.99.0.9
palo_alto_networkspan-os>= 9.1 < 9.1.39.1.3
paloaltopan-os
paloaltonetworkspan-os8.0.0 – 8.0.20
paloaltonetworkspan-os>= 8.1.0 < 8.1.158.1.15
paloaltonetworkspan-os>= 9.0.0 < 9.0.99.0.9
paloaltonetworkspan-os>= 9.1.0 < 9.1.39.1.3

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires SAML authentication to be enabled AND the 'Validate Identity Provider Certificate' option to be disabled (unchecked) in the SAML Identity Provider Server Profile — audit configurations for this combination as a detection/hunting pivot
  • Monitor for unauthenticated logins to PAN-OS and Panorama web interfaces with administrator-level privileges, which is the worst-case exploitation outcome for this CVE
  • To eliminate unauthorized sessions on GlobalProtect portals and gateways post-exploitation, hunt for rogue Authentication Override cookies — the vendor recommends rotating the certificate used to encrypt/decrypt the Authentication Override cookie as a remediation step
  • CVE-2020-2021 has also been exploited by ransomware groups — monitor for post-authentication lateral movement from GlobalProtect/VPN endpoints on affected PAN-OS versions
  • ·Vulnerability is NOT exploitable if SAML is not used for authentication — scope detection efforts only to SAML-enabled deployments
  • ·Vulnerability is NOT exploitable if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile — verify this setting as a first-pass triage step
  • ·PAN-OS 7.1 is not affected by this vulnerability
  • ·Affected versions are PAN-OS 9.1 < 9.1.3, PAN-OS 9.0 < 9.0.9, PAN-OS 8.1 < 8.1.15, and all versions of PAN-OS 8.0 (EOL); fixed in PAN-OS 8.1.15, 9.0.9, 9.1.3 and later
  • ·Before upgrading, ensure the signing certificate for the SAML Identity Provider is configured as the 'Identity Provider Certificate' to avoid authentication breakage post-patch

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.