Vulnerability Background
On June 29, U.S. Cyber Command (USCYBERCOM) issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs Palo Alto’s firewalls and VPN appliances. USCYBERCOM, which was established in 2010 as a sub-unified command then elevated to a Unified Combatant Command responsible for cyberspace operations in 2017, has a mission to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests and expects foreign hackers backed by well-resourced governments to attempt exploiting this critical vulnerability in Palo Alto products in the near term.
The vulnerability itself grants an authentication bypass that allows threat actors to access the device without the need to provide valid credentials. In other words, the flaw allows unauthorized individuals to log in to networks as administrators. With those privileges, attackers could install software of their choice or carry out other malicious actions with potentially serious consequences.
The vulnerability, tracked as CVE-2020-2021, can be exploited when an authentication mechanism known as Security Assertion Markup Language (SAML) is used to validate that users gave the proper permission to access a network. Attackers must also have Internet access to an affected server. CVE-2020-2021 can be exploited only when authentication is enabled and the “Validate Identity Provider Certificate” option is disabled. In that case, the affected Palo Alto products fail to properly verify signatures.
Affected Products and Mitigation
Affected releases are PAN-OS 9.1, PAN-OS 9.0 earlier then 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0. PAN-OS 7.1 is unaffected. Also, the fixes are available in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions. To mitigate the inherent threats, organizations should patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use.
Ongoing Risk Management
It is critical to assess the risks that are prevalent within an organization’s core network infrastructure. As technology rapidly changes, oftentimes core network appliances and other devices are shipped and installed with “out-of-box” settings, lacking the hardening required for maximum security. Schneider Downs’ Network Device Security and Configuration Assessment is a comprehensive analysis of potential vulnerabilities and misconfigurations on a device. From firewalls, to switches and routers, Schneider Downs has the expertise to identify and assess the risks of single and cumulative vulnerabilities that exist across these devices. We perform automated and manual assessments and take a collaborative approach in establishing an action plan to remediate all identified vulnerabilities. We also consider any other security components and mitigating factors to determine the overall risk to the security posture of the organization’s internal network appliances.
As the protection of systems and critical data continue to be a major component of cybersecurity awareness, Schneider Downs maintains in depth knowledge of industry best practices and can assist your organization in identifying vulnerabilities and overall risk to your internal network infrastructure. We have continued to establish ongoing relationships with new and existing clients to ensure coverage over the ever-changing risks posed by network vulnerabilities.
Learn more about how our team can help with your network device security needs or contact the team for more information.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit our website.
In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.
Related Posts
No related posts.