Yesterday, Palo Alto Networks alerted the public to a known security bug on its PAN-OS operating systems. Listen in as BitLyft’s CEO, Jason Miller, addresses concerns about the topic. A transcript of the interview is below.
What is the PAN-OS security bug and what does it mean for me
Thank you for joining our update today. We’re going to be talking about the Palo Alto PAN-OS vulnerability. This is brand new, and we want to make sure you’re up to date in understanding what this Palo Alto vulnerability actually means for you. So if you own a Palo Alto firewall and you have VPN users, which almost everybody does, especially today as we’re dealing with COVID and we’re dealing with a lot of remote users remoting in/VPN-ing in to the network. We wanted to bring this vulnerability to you as quickly as we possibly could. And share with you the details on it so you could understand if you are a person that should be looking into this vulnerability deeper, if you should be applying the patch, if you should be concerned.
Let’s dive right in.
What you need to know about the PAN-OS vulnerability
First off, the CVE number for this is 2020-2021. It’s considered a rare vulnerability, so therefore, it scores a 10/10 which is the highest vulnerability severity level that can be applied to a CVE. So this CVE means that if you are vulnerable to it, you should apply this patch immediately. Or change your configuration.
Fixing the security flaw
There is a PAN-OS patch that is available via Palo Alto’s website. They do supply the security patch for this. It was produced rather quickly, however, it is showing that if you are on version 9.1.3 or lower you’re affected. And so, if you’re greater than 9.1.3 than you’re unaffected. There is a list of the Palo Alto OS releases on the website, check the version that you’re on and see if this affects you.
To get into the specifics of it: If you use SAML for authentication and you have the validate identity provider certificate unchecked, or essentially disabled, then you are susceptible or vulnerable to this easy attack. This is not a complicated attack. This is actually the reason this scored a 10/10 because the vulnerability was not a complicated attack measure for a criminal to use. So what you want to do is ask your peers to look into your firewall and see if you’re using SAML for authentication and find out if you have the validate identity provider certificate checked or unchecked. If it is unchecked you potentially are vulnerable. Also check the version that your firewall is on and see if you’re on a lower than 9.1.3. The other thing is, the way that this is a vulnerability for attackers is if you’re using the global protect gateway, the portal, the client list VPN, the authentication captive portal, any of those are areas where the vulnerability exists to be attacked and exploited. Almost everybody that I know is using Palo Alto’s global protect gateway, portal, client list VPN, and captive portal. These are all ways you would authenticate into the firewall. And this can be done remotely so you don’t just have to be inside the network, you can also be outside the network. Meaning you’re remote and this vulnerability can be used against you.
The PAN-OS bug timeline and takeaways
This is a pretty short order, meaning, the time from when the PAN-OS bug was found, the United States CERT put out the notification pretty quickly. Palo Alto came up with a patch fairly quickly.
But what I want to point out here is this. Think about this. These vulnerabilities that are quickly found and known and patched. They all have a common theme, they’re known, or they’re found. What I would like you to think about for a moment—think about all the vulnerabilities that haven’t been found quite yet. That haven’t had a CVE number attached to them yet. Haven’t had a patch created for them yet. But yet, some criminal has found it and is exploiting and using it to their ability to gain access to your network.
So these are great that we have a patch and that we have the ability to quickly remediate the situation or apply an update. But think about all of the situations that are unknown at the moment in your environment that potentially could be used against you. Now I know I’m not stretching the truth here and this isn’t far fetched. But just think about this. This wasn’t known to the public until someone found the vulnerability and they posted about it. And then Palo Alto reacted to it with a security patch—updating the problem and correcting the issue. How long was that? How long has this vulnerability been there? Has this PAN-OS vulnerability been here 2 months, 6 months, 9 months? Ever since they released 9.1.3? And that’s the question here. And this is what we as security professionals need to be paying attention to. Is understanding ways that we can monitor, detect unusual behavior, threats in the network and find out where people might be exploiting vulnerabilities aren’t even known in our network yet.
If you have any questions or concerns about patching the vulnerability on your network, feel free to contact us.