US Cyber Command Warns Foreign Hackers Likely to Exploit PAN-OS Security Bug

US Cyber Command mentioned that foreign state-sponsored threat actors are likely to exploit a major security bug discovered in the PAN-OS, the operating system running on VPN appliances and firewalls from Palo Alto Networks. The agency warned that all devices affected by the CVE-2020-2012 need to be patched, especially if SAML is in use. They also mentioned that foreign APTs would likely attempt to exploit the vulnerabilities soon.

US Cyber Command officials were on the right track, as the CVE-2020-2021 vulnerability is a rare bug with a perfect 10/10 score on the Common Vulnerability Scoring System (CVSS), a framework for rating the severity of security vulnerabilities in software.

A 10/10 score means the vulnerability is easy to exploit and doesn't require advanced knowledge or skills; it is exploitable by remote all without needing an initial intrusion to succeed. On the technical side, the bug allows hackers to change the settings and features of the PAN-OS. Changing these settings may allow the attackers to access the device without credentials, as they can disable firewalls or VPN access control policies.

PAN-OS Must be Kept in a Specific Configuration

A Palo Alto Networks security advisory was published, warning that the mitigating factors include that the PAN-OS devices have to be in a specific configuration for the bug to be exploitable by attackers. Palo Alto Networks engineers mentioned the bug is exploitable only if the Validate Identity Provider Certificate is disabled, alongside the Security Assertion Markup Language (SAML). Devices supporting those two options that are vulnerable to attack include GlobalProtect Portal, GlobalProtect Gateway, GlobalProtectClientless VPN, Authentication and Captive Portal, Prisma Access Systems, PAN-OS Generation firewalls, such as the PE-Series and VM-Series, as well as Panorama web interfaces. The two settings are not in the vulnerable position by default, so they require direct user intervention to be in that configuration. That means that not all PAN-OS devices will be susceptible to the issue from the get-go.

Some Devices May Be Configured to be Vulnerable

According to CERT/CC, several vendor manuals instruct PAN-OS owners to set this exact configuration when using third-party identity providers, such as using Duo authentication on PAN-OS devices or third party solutions like Okta, Trusona, and Centrify. That means that the vulnerability may appear harmless due to the complicated steps necessary, there are likely many devices configured into that vulnerable state, mainly due to Duo authentication being spread in the private and government sector. The number of vulnerable systems was estimated at around 4200 at most, according to Bad Packets, an internet scanning, and threat intel company. Owners of PAN-OS devices should review their device configurations and apply the patches released by Palo Alto Networks if their devices are vulnerable to exploits.