CVE-2020-2021 – Palo Alto Networks – Critical Security Advisory (SAML)

Recently released versions of PAN-OS contain an important fix for a critical security vulnerability listed on the Palo Alto Networks Security Advisories Site. (https://security.paloaltonetworks.com/CVE-2020-2021)

Recently released versions of PAN-OS contain an important fix for a critical security vulnerability listed on the Palo Alto Networks Security Advisories Site. (https://security.paloaltonetworks.com/CVE-2020-2021)

If you are using SAML in production deployments, you may be affected by this critical security vulnerability under certain configurations. The risk can be mitigated by upgrading to a fixed version of PAN-OS outlined below (strongly recommended), or by ensuring that your SAML configuration is updated.

Even if you update your SAML configuration to mitigate the vulnerability, or if you are not using SAML, we encourage you to upgrade at your earliest convenience to avoid any inadvertent exposure with an unpatched version.

The PAN-OS versions with the fix include PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Instructions to check SAML settings to Validate Identity Provider Certificate and PAN-OS configurations are included below.

For more information on the required steps to upgrade, please visit the following Upgrade/Downgrade Considerations article here.

If upgrading at this time is not an option–take immediate action to apply the following mitigation steps to help reduce risks.

  1. Ensure ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML based authentication configuration.
  2. If the ‘Identity Provider Certificate’ is NOT a self-signed certificate, then ensure ‘Validate Identity Provider Certificate’ option is turned on in the SAML Identity Provider Server Profile.
  3. If the ‘Identity Provider Certificate’ is a self-signed certificate, consult the published Knowledge Base article (here) to learn more about IdP settings, and contact your customer’s SAML/Identity administrators to make the necessary modifications.
Author profile
Cybersecurity Engineer | Website

Jordan is a Cybersecurity Engineer who has consulted in numerous sectors such as finance, education, manufacturing, and public sector organizations within the United States.