Security
Go to Okta.com ↗
‹ Back to blog

Palo Alto Networks SAML Vulnerability

Marc Rogers

Today, Palo Alto Networks announced a critical security vulnerability affecting SAML certificate management across a range of their devices. While this vulnerability is isolated to Palo Alto Networks Firewalls, it impacts customers using these devices with independent identity providers (IDPs) that rely on the SAML protocol and who are using self-signed certificates, including customers of Okta.

Complete details can be found in Palo Alto Networks’ security advisory, here: https://security.paloaltonetworks.com/CVE-2020-2021

The vulnerability affects Palo Alto Networks customers using SAML authentication for SSO with the following products:

  • GlobalProtect Gateway
  • GlobalProtect Portal
  • GlobalProtect Clientless VPN
  • Authentication and Captive Portal
  • PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
  • Prisma Access

Affected PAN-OS Versions include

  • Any device running PAN-OS earlier than 9.1.3
  • Any device running PAN-OS earlier than 9.0.9
  • Any device running PAN-OS earlier than 8.1.15
  • Any device running PAN-OS 8.0 (all versions)

Hosted Palo Alto Networks customers

  • Hosted instances (e.g. Prisma) have been upgraded by Palo Alto Networks. There should not be any action required on the customer’s part after the upgrade for their SAML or Okta configurations.

Impact

Any customer with a vulnerable Palo Alto Networks platform that is also running a vulnerable version of the OS and using a self signed certificate or no certificate for SAML, faces the risk that an attacker may be able to bypass their perimeter and access sensitive resources.

Additionally any customer with exposed PAN-OS or Panorama web interfaces face the risk that an unauthenticated attacker may be able to log into their system as administrator and perform administrative tasks.

This is a serious vulnerability and it is strongly recommended that all affected customers follow Palo Alto Networks’ recommended steps to fix the issue.

How to Fix Affected Devices

Details can be found in Palo Alto Networks’ advisory, here: https://security.paloaltonetworks.com/CVE-2020-2021

The fix is to upgrade an affected device to a known safe version of PAN-OS. A list of known safe versions can be found below:

Fixed / Unaffected Versions

  • Any PAN device running PAN-OS 9.1.3 or above
  • Any PAN device running PAN-OS 9.0.9 or above
  • Any PAN device running PAN-OS 8.1.15 or above
  • Any PAN device running PAN-OS 7.1 (all versions) is unaffected by this vulnerability.

Customers running any variant of PAN-OS 8.0 must upgrade to 8.1 as 8.0 is EOL and all versions are affected. Details on the upgrade path can be found here: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/upgrade-to-pan-os-81/upgrade-the-firewall-to-pan-os-81/determine-pan-os-upgrade-path.html

Once a customer has upgraded to the latest version, they should ensure the certificate used for signing SAML assertions is signed by a valid CA. This can be a certificate signed by a public CA or one signed by an enterprise CA that has been imported into PAN-OS.

Okta Support provides information on how to generate and deploy a new certificate: https://support.okta.com/help/s/article/How-to-create-a-CA-signed-certificate-for-Palo-Alto-Networks-SAML-Applications

Next Steps

After applying the fix, Palo Alto Networks also strongly recommends changing the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. It is also recommended to restart the firewall and panorama to clear any unauthorized sessions on the web interface. Unauthorized user sessions should be cleared from CaptivePortal using the command-line. Details can be found in the following PAN-OS documentation.

Workaround

While the workaround eliminates the exposure, it is strongly recommended that affected PAN-OS devices be upgraded as soon as possible. The workaround should be treated as a stop-gap measure until the fix can be applied.

Customers who cannot implement the upgrade immediately should implement the following workaround to prevent unauthorized access to their devices.

  1. Install a CA signed certificate for SAML
  2. Enable the “Validate Identity Provider Certificate” option in the PAN device GUI.

This option can be found on PAN devices in the following location: "Panorama > Server Profiles > SAML Identity Provider".

Should you have any questions or issues regarding the Palo Alto Networks vulnerability, please open a ticket with Okta Support.

Marc Rogers
Senior Director, Cybersecurity Strategy

Marc Rogers is the Senior Director of Cybersecurity at Okta. With a career that spans more than thirty years, he has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the Head of Security for Cloudflare and spent a decade managing security for the UK operator, Vodafone. He was a CISO in South Korea and co-founded a disruptive Bay Area startup. In his role as technical advisor on “Mr. Robot,” he helped create hacks for the show. And, as if that’s not enough, he also organizes the world’s largest hacking conference: DEF CON. In early 2020, Marc co-founded the CTI League, a global volunteer based organization that defends healthcare during the pandemic.