Palo Alto Networks SAML Vulnerability
Today, Palo Alto Networks announced a critical security vulnerability affecting SAML certificate management across a range of their devices. While this vulnerability is isolated to Palo Alto Networks Firewalls, it impacts customers using these devices with independent identity providers (IDPs) that rely on the SAML protocol and who are using self-signed certificates, including customers of Okta.
Complete details can be found in Palo Alto Networks’ security advisory, here: https://security.paloaltonetworks.com/CVE-2020-2021
The vulnerability affects Palo Alto Networks customers using SAML authentication for SSO with the following products:
GlobalProtect Gateway
GlobalProtect Portal
GlobalProtect Clientless VPN
Authentication and Captive Portal
PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
Prisma Access
Affected PAN-OS Versions include
Any device running PAN-OS earlier than 9.1.3
Any device running PAN-OS earlier than 9.0.9
Any device running PAN-OS earlier than 8.1.15
Any device running PAN-OS 8.0 (all versions)
Hosted Palo Alto Networks customers
Hosted instances (e.g. Prisma) have been upgraded by Palo Alto Networks. There should not be any action required on the customer’s part after the upgrade for their SAML or Okta configurations.
Impact
Any customer with a vulnerable Palo Alto Networks platform that is also running a vulnerable version of the OS and using a self signed certificate or no certificate for SAML, faces the risk that an attacker may be able to bypass their perimeter and access sensitive resources.
Additionally any customer with exposed PAN-OS or Panorama web interfaces face the risk that an unauthenticated attacker may be able to log into their system as administrator and perform administrative tasks.
This is a serious vulnerability and it is strongly recommended that all affected customers follow Palo Alto Networks’ recommended steps to fix the issue.
How to Fix Affected Devices
Details can be found in Palo Alto Networks’ advisory, here: https://security.paloaltonetworks.com/CVE-2020-2021
The fix is to upgrade an affected device to a known safe version of PAN-OS. A list of known safe versions can be found below:
Fixed / Unaffected Versions
Any PAN device running PAN-OS 9.1.3 or above
Any PAN device running PAN-OS 9.0.9 or above
Any PAN device running PAN-OS 8.1.15 or above
Any PAN device running PAN-OS 7.1 (all versions) is unaffected by this vulnerability.
Customers running any variant of PAN-OS 8.0 must upgrade to 8.1 as 8.0 is EOL and all versions are affected. Details on the upgrade path can be found here: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/upgrade-to-pan-os-81/upgrade-the-firewall-to-pan-os-81/determine-pan-os-upgrade-path.html
Once a customer has upgraded to the latest version, they should ensure the certificate used for signing SAML assertions is signed by a valid CA. This can be a certificate signed by a public CA or one signed by an enterprise CA that has been imported into PAN-OS.
Okta Support provides information on how to generate and deploy a new certificate: https://support.okta.com/help/s/article/How-to-create-a-CA-signed-certificate-for-Palo-Alto-Networks-SAML-Applications
Next Steps
After applying the fix, Palo Alto Networks also strongly recommends changing the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. It is also recommended to restart the firewall and panorama to clear any unauthorized sessions on the web interface. Unauthorized user sessions should be cleared from CaptivePortal using the command-line. Details can be found in the following PAN-OS documentation.
Workaround
While the workaround eliminates the exposure, it is strongly recommended that affected PAN-OS devices be upgraded as soon as possible. The workaround should be treated as a stop-gap measure until the fix can be applied.
Customers who cannot implement the upgrade immediately should implement the following workaround to prevent unauthorized access to their devices.
Install a CA signed certificate for SAML
Enable the “Validate Identity Provider Certificate” option in the PAN device GUI.
This option can be found on PAN devices in the following location: "Panorama > Server Profiles > SAML Identity Provider".
Should you have any questions or issues regarding the Palo Alto Networks vulnerability, please open a ticket with Okta Support.