
CVE 2020-2021 Pan-OS: Authentication Bypass in SAML Authentication - xoa
https://security.paloaltonetworks.com/CVE-2020-2021
======
xoa
For anyone who checks the comments first: this is a Severity 10 Critical level
bug affecting a pile of PAN devices running 8.x and 9.x series OS. When
exploitable (SAML auth, net access to device, not validating ID cert) it
allows easy remote escalation to network administrator because the devices
just plain don't bother validating the signature.

If you're running one of these things update and make sure the box is checked
to validate ID (why is this even an option?). Or throw it in the trash. I
guess it's also a good reminder of the risks edge-based security policies hold
and why some level of additional layers is important even for places that
can't manage full BeyondCorp style zero trust. It's too bad even basic stuff
like network segmentation isn't as friendly as it could be. Of course actually
choosing decent edge devices helps too, Palo Alto has been derided here for
years for good reason. Regrettably they seem to be plenty common :\

