Palo Alto Networks recently became aware of an issue impacting PAN-OS features where SAML based authentication is used, which may allow a malicious attacker to authenticate successfully to various services without valid credentials. Impacted devices and software include the GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Captive Portal, and Prisma Access, including PAN-OS and Panorama web management interfaces.
The vulnerability requires specific configuration settings on PAN-OS to be enabled for successful exploitation. We believe the potential for impact is high, and the required configuration may be common when single-sign-on providers like Okta are used.
All customers leveraging SAML authentication on an impacted software version(s) must take immediate action to implement mitigation steps or upgrade to an updated PAN-OS release.
Devices and software leveraging SAML authentication are vulnerable to this issue. Resources that can be protected by SAML-based single-sign-on authentication are:
GlobalProtect Clientless VPN
Authentication and Captive Portal
PAN-OS and Panorama web management interfaces
Devices must leverage SAML authentication to be vulnerable. This issue can not be exploited if SAML is not being used for authentication. This issue can notbe exploited if the 'Validate Identity Provider Certificate' option is turned on.
While leveraging the mitigation options posted will reduce the attack surface, customers are advised to treat the need to upgrade all impacted devices globally with a high sense of urgency. The guidance provided below is intended to act as a short-term countermeasure until customer devices can be upgraded. For customers not leveraging SAML authentication as of this time, it is strongly advised to proceed with the upgrade to ensure a vulnerability is not introduced should a SAML integration be added in the future.
Flowchart to help identify potential for impact in existing configurations