Recently released versions of PAN-OS contain an important fix for a critical security vulnerability listed on the Palo Alto Networks Security Advisories Site. (https://security.paloaltonetworks.com/CVE-2020-2021)
If you are using SAML in production deployments, you may be affected by this critical security vulnerability under certain configurations. The risk can be mitigated by upgrading to a fixed version of PAN-OS outlined below (strongly recommended), or by ensuring that your SAML configuration is updated.
Even if you update your SAML configuration to mitigate the vulnerability, or if you are not using SAML, we encourage you to upgrade at your earliest convenience to avoid any inadvertent exposure with an unpatched version.
Instructions to check SAML settings to Validate Identity Provider Certificate and PAN-OS configurations are included below.
- Securing your SAML Deployment – (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK)
- Invalidate Previously Issued GP Auth Override Cookies (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXy)
- PAN-OS Configure SAML Authentication – (https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-saml-authentication.html)
- PAN-OS SAML IdP Profiles – (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-server-profiles-saml-identity-provider.html)
- Prisma Access Security Announcement – (https://status.paloaltonetworks.com/incidents/gd5jc5s7cd3y)
- Prisma Access Deployments with SAML IdP Configuration – (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UVY)
For more information on the required steps to upgrade, please visit the following Upgrade/Downgrade Considerations article here.
If upgrading at this time is not an option–take immediate action to apply the following mitigation steps to help reduce risks.
- Ensure ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML based authentication configuration.
- If the ‘Identity Provider Certificate’ is NOT a self-signed certificate, then ensure ‘Validate Identity Provider Certificate’ option is turned on in the SAML Identity Provider Server Profile.
- If the ‘Identity Provider Certificate’ is a self-signed certificate, consult the published Knowledge Base article (here) to learn more about IdP settings, and contact your customer’s SAML/Identity administrators to make the necessary modifications.