Bug in the System - Patch Palo Alto OS ASAP


Vulnerability Background

On June 29, U.S. Cyber Command (USCYBERCOM) issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs Palo Alto’s firewalls and VPN appliances. USCYBERCOM, which was established in 2010 as a sub-unified command then elevated to a Unified Combatant Command responsible for cyberspace operations in 2017, has a mission to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests and expects foreign hackers backed by well-resourced governments to attempt exploiting this critical vulnerability in Palo Alto products in the near term.

The vulnerability itself grants an authentication bypass that allows threat actors to access the device without the need to provide valid credentials. In other words, the flaw allows unauthorized individuals to log in to networks as administrators. With those privileges, attackers could install software of their choice or carry out other malicious actions with potentially serious consequences.

The vulnerability, tracked as CVE-2020-2021, can be exploited when an authentication mechanism known as Security Assertion Markup Language (SAML) is used to validate that users gave the proper permission to access a network. Attackers must also have Internet access to an affected server. CVE-2020-2021 can be exploited only when authentication is enabled and the “Validate Identity Provider Certificate” option is disabled. In that case, the affected Palo Alto products fail to properly verify signatures.

Affected Products and Mitigation

Affected releases are PAN-OS 9.1, PAN-OS 9.0 earlier then 9.0.9, PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0. PAN-OS 7.1 is unaffected. Also, the fixes are available in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions. To mitigate the inherent threats, organizations should patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use.

Ongoing Risk Management

It is critical to assess the risks that are prevalent within an organization's core network infrastructure. As technology rapidly changes, oftentimes core network appliances and other devices are shipped and installed with "out-of-box" settings, lacking the hardening required for maximum security. Schneider Downs’ Network Device Security and Configuration Assessment is a comprehensive analysis of potential vulnerabilities and misconfigurations on a device. From firewalls, to switches and routers, Schneider Downs has the expertise to identify and assess the risks of single and cumulative vulnerabilities that exist across these devices. We perform automated and manual assessments and take a collaborative approach in establishing an action plan to remediate all identified vulnerabilities. We also consider any other security components and mitigating factors to determine the overall risk to the security posture of the organization's internal network appliances.

As the protection of systems and critical data continue to be a major component of cybersecurity awareness, Schneider Downs maintains in depth knowledge of industry best practices and can assist your organization in identifying vulnerabilities and overall risk to your internal network infrastructure. We have continued to establish ongoing relationships with new and existing clients to ensure coverage over the ever-changing risks posed by network vulnerabilities.

Learn more about how our team can help with your network device security needs or contact the team for more information.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit our website.

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Apache Log4j Vulnerability Update – Remediation Tools and Patches
Apache Log4j Vulnerability Update – CISA Issues Emergency Directive
Apache Log4j Vulnerability Update – Government Responses and Ransomware Activity
HR Management Software Provider Kronos Hit by Ransomware
Apache Log4j Vulnerability Update
Navigating the Digital Transformation Roadmap
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.