Home Technology US Cyber Command says foreign hackers will most likely exploit new PAN-OS...

US Cyber Command says foreign hackers will most likely exploit new PAN-OS security bug

- Advertisement -

US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks.

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” US Cyber Command said in a tweet today.

“Foreign APTs will likely attempt [to] exploit soon,” the agency added, referring to APT (advanced persistent threat), a term used by the cyber-security industry to describe nation-state hacker groups.

CVE-2020-2021 – a rare 10/10 vulnerability

US Cyber Command officials are right to be panicked. The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 score on the CVSSv3 severity scale.

A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn’t require advanced technical skills, and it’s remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device.

In technical terms, the vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials.

Once exploited, the bug allows hackers to change PAN-OS settings and features. While changing OS features seems innocuous, and of little consequence, the bug is actually quite a major issue because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices.

PAN-OS devices must be in a certain configuration

In a security advisory published today, Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable.

PAN engineers said the bug is only exploitable if the ‘Validate Identity Provider Certificate’ option is disabled and if SAML (Security Assertion Markup Language) is enabled.


Image: Palo Alto Networks

Devices that support these two options — and are vulnerable to attacks — include systems like:

  • GlobalProtect Gateway
  • GlobalProtect Portal
  • GlobalProtect Clientless VPN
  • Authentication and Captive Portal
  • PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
  • Prisma Access systems

These two settings are not in the vulnerable positions by default and require manual user intervention to be set in that specific configuration — meaning that not all PAN-OS devices are vulnerable to attacks by default.

Some devices have been configured to be vulnerable

However, according to Will Dormann, vulnerability analyst for CERT/CC, several vendor manuals instruct PAN-OS owners to set up this exact particular configuration when using third-party identity providers — such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta.

This means that while the vulnerability looks harmless at a first glance due to the complex configuration needed to be exploitable, there are likely quite a few devices configured in this vulnerable state, especially due to the widespread use of Duo authentication in the enterprise and government sector.

As a result, owners of PAN-OS devices are advised to immediately review device configurations and apply the latest patches provided by Palo Alto Networks if their devices are running in a vulnerable state.

The list of vulnerable PAN-OS releases where CVE-2020-2021 is known to work are listed below.

Following Palo Alto’s vulnerability disclosure today, several respected figures in the cyber-security community have echoed the US Cyber Command warning and have also urged system administrators to patch PAN-OS devices as soon as possible, also anticipating attacks from nation-state threat actors to follow in a matter of days.

Given the demonstrated desire by multiple actors to compromise VPN endpoints and other gateways over the past two years, I strongly advise you prioritize patching this.https://t.co/9k6mcEro4X

— Matthew Olney (@kpyke) June 29, 2020

If you use Palo-Alto firewalls with SAML — particularly with GlobalProtect VPN — you probably want to urgently patch this.

Also researchers should probably avoid disclosing details publicly for a window to give orgs time to mitigate.https://t.co/vh18ZgsurC

— Kevin Beaumont (@GossiTheDog) June 29, 2020

Palo Alto Networks did not return an email seeking comment on the US Cyber Command’s warning.

Source:

- Advertisement -
- Advertisement -

Stay Connected

16,985FansLike
2,458FollowersFollow
61,453SubscribersSubscribe

Must Read

Comcast’s Peacock streaming strategy targets free users, cord cutters

Matt Strauss. Comcast This story is available exclusively on Business Insider Prime. Join BI Prime and start reading now. NBCUniversal's flagship streaming service, Peacock, lands nationally on July 15, with a free tier and two subscription plans.Peacock chairman Matt Strauss said its Spotify-like freemium model is even more relevant amid the global pandemic, as economic…
- Advertisement -

What I learned about being Black after a cop pointed a gun at me when I was 12 years old

I grew up in Milwaukee, Wisconsin in a predominately Black neighborhood but was bused to a school in a predominantly white suburb.After a school dance when I was in the fourth grade, a cop stopped my friends and I — all Black kids — with his gun drawn. He said he was looking for suspects…

Apple stops short of pausing user data requests from Hong Kong police

On Monday, Facebook, Google, and Twitter suspended data requests from Hong Kong police. It follows China unilaterally passing a sweeping new national security law in the semi-autonomous city.Apple said it is "assessing" the impact of the law on human rights, but stopped short of promising to pause data-processing requests from local authorities.An Apple spokesperson told…

Stock picks to buy: Tech, ecommerce choices from most accurate analyst

Colin Sebastian Screengrab/YouTube This story is available exclusively on Business Insider Prime. Join BI Prime and start reading now. Colin Sebastian is the most accurate analyst covering consumer discretionary stocks, according to analyst-ranking firm TipRanks. Sebastian covers online shopping, advertising, and video game companies, many of which have seen spectacular gains during the coronavirus pandemic.He told…

Related News

Comcast’s Peacock streaming strategy targets free users, cord cutters

Matt Strauss. Comcast This story is available exclusively on Business Insider Prime. Join BI Prime and start reading now. NBCUniversal's flagship streaming service, Peacock, lands nationally on July 15, with a free tier and two subscription plans.Peacock chairman Matt Strauss said its Spotify-like freemium model is even more relevant amid the global pandemic, as economic…

What I learned about being Black after a cop pointed a gun at me when I was 12 years old

I grew up in Milwaukee, Wisconsin in a predominately Black neighborhood but was bused to a school in a predominantly white suburb.After a school dance when I was in the fourth grade, a cop stopped my friends and I — all Black kids — with his gun drawn. He said he was looking for suspects…

Apple stops short of pausing user data requests from Hong Kong police

On Monday, Facebook, Google, and Twitter suspended data requests from Hong Kong police. It follows China unilaterally passing a sweeping new national security law in the semi-autonomous city.Apple said it is "assessing" the impact of the law on human rights, but stopped short of promising to pause data-processing requests from local authorities.An Apple spokesperson told…

Stock picks to buy: Tech, ecommerce choices from most accurate analyst

Colin Sebastian Screengrab/YouTube This story is available exclusively on Business Insider Prime. Join BI Prime and start reading now. Colin Sebastian is the most accurate analyst covering consumer discretionary stocks, according to analyst-ranking firm TipRanks. Sebastian covers online shopping, advertising, and video game companies, many of which have seen spectacular gains during the coronavirus pandemic.He told…

Katie Miller was unmoved by child detention facility visit: new book

Katie Miller, a spokeswoman for Vice President Mike Pence, was unmoved by the plight of children at detention facilities at the US-Mexico border, according to a new book by the NBC News reporter Jacob Soboroff.The Department of Homeland Security "sent me to the border to see the separations for myself — to try to make…
- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here