{"containers": {"cna": {"affected": [{"product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "7.1.*"}, {"status": "affected", "version": "8.0.*"}, {"changes": [{"at": "8.1.15", "status": "unaffected"}], "lessThan": "8.1.15", "status": "affected", "version": "8.1", "versionType": "custom"}, {"changes": [{"at": "9.0.9", "status": "unaffected"}], "lessThan": "9.0.9", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "9.1.3", "status": "unaffected"}], "lessThan": "9.1.3", "status": "affected", "version": "9.1", "versionType": "custom"}]}], "configurations": [{"lang": "en", "value": "This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile.\nThis issue cannot be exploited if SAML is not used for authentication.\nThis issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile.\nDetailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.\nTo check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider.\nTo check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider\nTo check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider.\nAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions."}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue."}], "datePublic": "2020-06-29T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-29T15:10:11.000Z", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2020-2021"}], "solutions": [{"lang": "en", "value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.\n\nImportant: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication\n\nDetails of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. \n\nTo eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy\n\nRestarting firewalls and Panorama eliminates any unauthorized sessions on the web interface.\nTo clear any unauthorized user sessions in Captive Portal take the following steps: \nRun the following command \n show user ip-user-mapping all type SSO\nFor all the IPs returned, run these two commands to clear the users:\n clear user-cache-mp <above ips>\n clear user-cache <above ips>\nPAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies.\nAll Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations."}], "source": {"defect": ["PAN-148988"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2020-06-29T00:00:00", "value": "Initial publication"}], "title": "PAN-OS: Authentication Bypass in SAML Authentication", "workarounds": [{"lang": "en", "value": "Using a different authentication method and disabling SAML authentication will completely mitigate the issue.\nUntil an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:\n\n(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.\n\n(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.\n\nUpgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2020-06-29T15:00:00.000Z", "ID": "CVE-2020-2021", "STATE": "PUBLIC", "TITLE": "PAN-OS: Authentication Bypass in SAML Authentication"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PAN-OS", "version": {"version_data": [{"version_affected": "!", "version_name": "7.1", "version_value": "7.1.*"}, {"version_affected": "=", "version_name": "8.0", "version_value": "8.0.*"}, {"version_affected": "<", "version_name": "8.1", "version_value": "8.1.15"}, {"version_affected": "!>=", "version_name": "8.1", "version_value": "8.1.15"}, {"version_affected": "<", "version_name": "9.0", "version_value": "9.0.9"}, {"version_affected": "!>=", "version_name": "9.0", "version_value": "9.0.9"}, {"version_affected": "<", "version_name": "9.1", "version_value": "9.1.3"}, {"version_affected": "!>=", "version_name": "9.1", "version_value": "9.1.3"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "configuration": [{"lang": "en", "value": "This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile.\nThis issue cannot be exploited if SAML is not used for authentication.\nThis issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile.\nDetailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.\nTo check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider.\nTo check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider\nTo check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider.\nAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions."}], "credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}]}, "exploit": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347 Improper Verification of Cryptographic Signature"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2020-2021", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2020-2021"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.\n\nImportant: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication\n\nDetails of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. \n\nTo eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy\n\nRestarting firewalls and Panorama eliminates any unauthorized sessions on the web interface.\nTo clear any unauthorized user sessions in Captive Portal take the following steps: \nRun the following command \n show user ip-user-mapping all type SSO\nFor all the IPs returned, run these two commands to clear the users:\n clear user-cache-mp <above ips>\n clear user-cache <above ips>\nPAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies.\nAll Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations."}], "source": {"defect": ["PAN-148988"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2020-06-29T00:00:00", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "Using a different authentication method and disabling SAML authentication will completely mitigate the issue.\nUntil an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:\n\n(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.\n\n(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.\n\nUpgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:54:00.586Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.paloaltonetworks.com/CVE-2020-2021"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-2021", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T12:42:40.893905Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-03-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2021"}}}], "timeline": [{"time": "2022-03-25T00:00:00+00:00", "lang": "en", "value": "CVE-2020-2021 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T01:45:40.159Z"}}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2020-2021", "datePublished": "2020-06-29T15:10:11.350Z", "dateReserved": "2019-12-04T00:00:00.000Z", "dateUpdated": "2025-07-30T01:45:40.159Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2020-2021", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:54:00.586Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-2021", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T12:42:40.893905Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-03-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2020-2021"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T12:42:43.313Z"}}], "cna": {"title": "PAN-OS: Authentication Bypass in SAML Authentication", "source": {"defect": ["PAN-148988"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue."}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [{"status": "unaffected", "version": "7.1.*"}, {"status": "affected", "version": "8.0.*"}, {"status": "affected", "changes": [{"at": "8.1.15", "status": "unaffected"}], "version": "8.1", "lessThan": "8.1.15", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "9.0.9", "status": "unaffected"}], "version": "9.0", "lessThan": "9.0.9", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "9.1.3", "status": "unaffected"}], "version": "9.1", "lessThan": "9.1.3", "versionType": "custom"}]}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "timeline": [{"lang": "en", "time": "2020-06-29T00:00:00", "value": "Initial publication"}], "solutions": [{"lang": "en", "value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.\n\nImportant: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication\n\nDetails of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. \n\nTo eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy\n\nRestarting firewalls and Panorama eliminates any unauthorized sessions on the web interface.\nTo clear any unauthorized user sessions in Captive Portal take the following steps: \nRun the following command \n show user ip-user-mapping all type SSO\nFor all the IPs returned, run these two commands to clear the users:\n clear user-cache-mp <above ips>\n clear user-cache <above ips>\nPAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies.\nAll Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations."}], "datePublic": "2020-06-29T00:00:00.000Z", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2020-2021", "tags": ["x_refsource_MISC"]}], "workarounds": [{"lang": "en", "value": "Using a different authentication method and disabling SAML authentication will completely mitigate the issue.\nUntil an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:\n\n(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.\n\n(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.\n\nUpgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "configurations": [{"lang": "en", "value": "This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile.\nThis issue cannot be exploited if SAML is not used for authentication.\nThis issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile.\nDetailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.\nTo check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider.\nTo check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider\nTo check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider.\nAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions."}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2020-06-29T15:10:11.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University for discovering and reporting this issue."}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"defect": ["PAN-148988"], "discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "7.1", "version_value": "7.1.*", "version_affected": "!"}, {"version_name": "8.0", "version_value": "8.0.*", "version_affected": "="}, {"version_name": "8.1", "version_value": "8.1.15", "version_affected": "<"}, {"version_name": "8.1", "version_value": "8.1.15", "version_affected": "!>="}, {"version_name": "9.0", "version_value": "9.0.9", "version_affected": "<"}, {"version_name": "9.0", "version_value": "9.0.9", "version_affected": "!>="}, {"version_name": "9.1", "version_value": "9.1.3", "version_affected": "<"}, {"version_name": "9.1", "version_value": "9.1.3", "version_affected": "!>="}]}, "product_name": "PAN-OS"}]}, "vendor_name": "Palo Alto Networks"}]}}, "exploit": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}], "solution": [{"lang": "en", "value": "This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.\n\nImportant: Ensure that the signing certificate for your SAML Identity Provider is configured as the 'Identity Provider Certificate' before you upgrade to a fixed version to ensure that your users can continue to authenticate successfully. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication\n\nDetails of all actions required before and after upgrading PAN-OS are available in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK. \n\nTo eliminate unauthorized sessions on GlobalProtect portals and gateways, Prisma Access managed through Panorama, change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using the Panorama or firewall web interface. Refer to this article for configuring Authentication override cookies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy\n\nRestarting firewalls and Panorama eliminates any unauthorized sessions on the web interface.\nTo clear any unauthorized user sessions in Captive Portal take the following steps: \nRun the following command \n show user ip-user-mapping all type SSO\nFor all the IPs returned, run these two commands to clear the users:\n clear user-cache-mp <above ips>\n clear user-cache <above ips>\nPAN-OS 8.0 is end-of-life (as of October 31, 2019) and is no longer covered by our Product Security Assurance policies.\nAll Prisma Access services have been upgraded to resolve this issue and are no longer vulnerable. Prisma Access customers do not require any changes to SAML or IdP configurations."}], "timeline": [{"lang": "en", "time": "2020-06-29T00:00:00", "value": "Initial publication"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://security.paloaltonetworks.com/CVE-2020-2021", "name": "https://security.paloaltonetworks.com/CVE-2020-2021", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347 Improper Verification of Cryptographic Signature"}]}]}, "work_around": [{"lang": "en", "value": "Using a different authentication method and disabling SAML authentication will completely mitigate the issue.\nUntil an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:\n\n(a) Ensure that the 'Identity Provider Certificate' is configured. Configuring the 'Identity Provider Certificate' is an essential part of a secure SAML authentication configuration.\n\n(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the 'Validate Identity Provider Certificate' option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.\n\nUpgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-2021", "STATE": "PUBLIC", "TITLE": "PAN-OS: Authentication Bypass in SAML Authentication", "ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2020-06-29T15:00:00.000Z"}, "configuration": [{"lang": "en", "value": "This issue is applicable only where SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked) in the SAML Identity Provider Server Profile.\nThis issue cannot be exploited if SAML is not used for authentication.\nThis issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled in the SAML Identity Provider Server Profile.\nDetailed descriptions of how to check for the configuration required for exposure and mitigate them are listed in the knowledge base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.\nTo check whether SAML authentication is enabled on a firewall, see the configuration under Device > Server Profiles > SAML Identity Provider.\nTo check whether SAML authentication is enabled for Panorama administrator authentication, see the configuration under Panorama> Server Profiles > SAML Identity Provider\nTo check whether SAML authentication is enabled for firewalls managed by Panorama, see the configuration under Device > [template]> Server Profiles > SAML Identity Provider.\nAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions."}]}}}, "cveMetadata": {"cveId": "CVE-2020-2021", "state": "PUBLISHED", "dateUpdated": "2025-02-07T12:47:15.924Z", "dateReserved": "2019-12-04T00:00:00.000Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2020-06-29T15:10:11.350Z", "assignerShortName": "palo_alto"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-04-15", "cisaExploitAdd": "2022-03-25", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Palo Alto Networks PAN-OS Authentication Bypass Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BEFBF38-AF84-4477-A6B9-5BDD51D54F4F", "versionEndIncluding": "8.0.20", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "6116C706-6AC7-476D-9624-C0D4BE3D497A", "versionEndExcluding": "8.1.15", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D6E8B99-4150-4AE8-A580-08AC71F64760", "versionEndExcluding": "9.0.9", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E9F14E9-3CD7-443B-9D97-254E917FA22B", "versionEndExcluding": "9.1.3", "versionStartIncluding": "9.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability."}, {"lang": "es", "value": "Cuando la autenticaci\u00f3n Security Assertion Markup Language (SAML) est\u00e1 habilitada y la opci\u00f3n \u201cValidate Identity Provider Certificate\u201d est\u00e1 deshabilitada (desmarcada), la verificaci\u00f3n inapropiada de firmas en la autenticaci\u00f3n SAML de PAN-OS permite a un atacante basado en la red no autenticado acceder a recursos protegidos. El atacante debe tener acceso de red al servidor vulnerable para explotar esta vulnerabilidad. Este problema afecta a PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.3; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.9; PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.15, y todas las versiones de PAN-OS 8.0 (EOL). Este problema no afecta a PAN-OS versi\u00f3n 7.1. Este problema no puede ser explotado si SAML no es usado para la autenticaci\u00f3n. Este problema no puede ser explotado si la opci\u00f3n \u201cValidate Identity Provider Certificate\u201d est\u00e1 habilitada (marcada) en el SAML Identity Provider Server Profile. Los recursos que pueden ser protegidos mediante la autenticaci\u00f3n de inicio de sesi\u00f3n \u00fanico basada en SAML (SSO) son: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication y Captive Portal, los firewalls de PAN-OS de pr\u00f3xima generaci\u00f3n (PA-Series, VM-Series) e interfaces web Panorama, Prisma Access en el caso de GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal y Prisma Access, un atacante no autenticado con acceso a la red para los servidores afectados puede conseguir acceso a recursos protegidos si es permitido por la autenticaci\u00f3n configurada y las pol\u00edticas de Seguridad. No hay impacto en la integridad y disponibilidad de la puerta de enlace, portal o servidor VPN. Un atacante no puede inspeccionar ni alterar las sesiones de los usuarios habituales. En el peor de los casos, esta es una vulnerabilidad de gravedad cr\u00edtica con una Puntuaci\u00f3n Base CVSS de 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). En el caso de las interfaces web de PAN-OS y Panorama, este problema permite a un atacante no autenticado con acceso de red a las interfaces web de PAN-OS o Panorama iniciar sesi\u00f3n como administrador y llevar a cabo acciones administrativas. En el peor de los casos, esta es una vulnerabilidad de gravedad cr\u00edtica con un Puntaje Base CVSS de 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Si las interfaces web solo son accesibles para una red de administraci\u00f3n restringida, entonces el problema se reduce a una Puntuaci\u00f3n Base CVSS de 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks no tiene conocimiento de ning\u00fan intento malicioso para explotar esta vulnerabilidad"}], "id": "CVE-2020-2021", "lastModified": "2025-02-07T15:03:31.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-29T15:15:12.733", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2020-2021"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2020-2021"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}