By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks. "Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," US Cyber Command said in a tweet today. "Foreign APTs will likely attempt [to] exploit soon," the agency added, referring to APT (advanced persistent threat), a term used by the cyber-security industry to describe nation-state hacker groups. US Cyber Command officials are right to be panicked. The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 scores on the CVSSv3 severity scale. A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn't require advanced technical skills, and it's remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device. In technical terms, vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials. Once exploited, the bug allows hackers to change PAN-OS settings and features. While changing OS features seems innocuous, and of little consequence, the bug is actually quite a major issue because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices. In a security advisory published today, Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable. PAN engineers said the bug is only exploitable if the 'Validate Identity Provider Certificate' option is disabled and if SAML (Security Assertion Markup Language) is enabled. However, according to Will Dormann, vulnerability analyst for CERT/CC, several vendor manuals instruct PAN-OS owners to set up this exact particular configuration when using third-party identity providers -- such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta. This means that while the vulnerability looks harmless at a first glance due to the complex configuration needed to be exploitable, there are likely quite a few devices configured in this vulnerable state, especially due to the widespread use of Duo authentication in the enterprise and government sector. At the time of writing, the number of vulnerable systems is estimated to be at most 4,200, according to Troy Mursch, co-founder of internet scanning and threat intel firm Bad Packets. "Of the 58,521 publicly accessible Palo Alto (PAN-OS) servers scanned by Bad Packets, 4,291 hosts were found using some type of SAML authentication," Mursch told ZDNet today. However, Mursch says that his company's scans can only tell if SAML authentication is enabled, but not if the second condition (Validate Identity Provider Certificate' option disabled) is also met. Owners of PAN-OS devices are advised to immediately review device configurations and apply the latest patches provided by Palo Alto Networks if their devices are running in a vulnerable state. For greater details visit OUR FORUM.