Shulou(Shulou.com)06/01 Report--

This article will explain in detail how the SAML authentication mechanism bypasses the CVE-2020-2021 loophole, and the content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

0x00 vulnerability background

June 30, 2020, 360CERT monitoring found that Palo Alto officially issued a risk notice for SAML authentication mechanism bypass, the vulnerability number is CVE-2020-2021, vulnerability level: high risk.

Security declaration markup language (SAML) is a standard for logging a user into the current application based on his or her session in another context.

The SAML authentication mechanism has the threat of authentication bypass. When SAML is turned on and the Validate Identity Provider Certificate (Authentication identity provider Certificate) option is turned off, remote unauthenticated attackers can use this vulnerability to bypass the SAML authentication mechanism to access protected resources.

In this regard, 360CERT recommends that the majority of users timely install the latest patches, do a good job of asset self-examination and prevention work, so as to avoid hacker attacks.

0x01 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, high risk impact areas, a wide range of 0x02 vulnerability details

There are three preconditions for this vulnerability:

Use the SAML authentication mechanism for authentication.

The Validate Identity Provider Certificate (verify identity provider Certificate) option is turned off.

Remote attackers can access vulnerable servers.

Resources protected based on SAML single sign-on authentication are affected by this vulnerability as long as the above three points are met:

GlobalProtect Gateway

GlobalProtect Portal

GlobalProtect Clientless VPN

Authentication and Captive Portal

PAN-OS next-generation firewalls (PA-Series, VM-Series)

Panorama web interfaces

Prisma Access

For GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access products, unauthenticated attackers can use this vulnerability to bypass the authentication mechanism of the target server and access protected resources. However, attackers cannot affect the integrity of the product, nor can they tamper with the sessions of ordinary users.

For PAN-OS and Panorama web interfaces, an unauthenticated attacker can log in to the background of the product as an administrator and have the right to perform corresponding administrative actions.

According to official descriptions, the vulnerability has not been caught and exploited in the wild.

0x03 affects version

PAN-OS 9.1:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.