CVE-2020-2021
📋 TL;DR
CVE-2020-2021 is a critical SAML authentication bypass vulnerability in PAN-OS that allows unauthenticated attackers to access protected resources when SAML is enabled with certificate validation disabled. Affected systems include PAN-OS firewalls (PA-Series, VM-Series), Panorama, GlobalProtect gateways/portals, and Prisma Access. The vulnerability enables attackers to gain administrative access to web interfaces or access protected VPN resources.
💻 Affected Systems
- PAN-OS
- Panorama
- GlobalProtect Gateway
- GlobalProtect Portal
- GlobalProtect Clientless VPN
- Prisma Access
- PA-Series
- VM-Series
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attacker gains administrative access to PAN-OS/Panorama web interfaces, allowing complete system compromise and administrative actions.
Likely Case
Unauthenticated attacker accesses protected GlobalProtect VPN resources or administrative interfaces if exposed to their network segment.
If Mitigated
No impact if SAML is not used, certificate validation is enabled, or systems are properly segmented with restricted access.
🎯 Exploit Status
Exploitation requires network access to vulnerable service but no authentication. Public proof-of-concept exists. Palo Alto reports no known malicious exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 9.1.3, 9.0.9, 8.1.15 or later
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2020-2021
Restart Required: Yes
Instructions:
1. Download appropriate PAN-OS update from Palo Alto support portal. 2. Upload to firewall/Panorama. 3. Install update via web interface or CLI. 4. Reboot system after installation completes.
🔧 Temporary Workarounds
Enable SAML Certificate Validation
allEnable 'Validate Identity Provider Certificate' option in SAML Identity Provider Server Profile
Configure via PAN-OS web interface: Device > Server Profiles > SAML Identity Provider > Edit profile > Check 'Validate Identity Provider Certificate'
Disable SAML Authentication
allRemove SAML authentication from affected services if not required
Configure via PAN-OS web interface: Remove SAML authentication from GlobalProtect, Captive Portal, or web interface authentication settings
🧯 If You Can't Patch
- Enable 'Validate Identity Provider Certificate' in all SAML Identity Provider Server Profiles
- Restrict network access to PAN-OS/Panorama web interfaces and GlobalProtect services using firewall rules and network segmentation
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via web interface (Dashboard > System > General) or CLI (show system info). Verify if SAML is enabled with certificate validation disabled.Check Version:
show system info | match versionVerify Fix Applied:
Confirm PAN-OS version is 9.1.3+, 9.0.9+, or 8.1.15+. Verify 'Validate Identity Provider Certificate' is enabled in SAML profiles.📡 Detection & Monitoring
Log Indicators:
- Unexpected administrator logins from new IPs
- SAML authentication failures or bypass attempts
- Access to protected resources without proper authentication
Network Indicators:
- Unusual SAML request patterns to PAN-OS services
- Authentication attempts with malformed SAML assertions
SIEM Query:
source="pan" AND (eventtype="auth" OR eventtype="traffic") AND (saml OR authentication) AND (status="success" OR action="allow") FROM unknown_ips