Critical Security Advisory CVE-2020-2021

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Severity 10 Critical information.png


Palo Alto Networks recently became aware of an issue impacting PAN-OS features where SAML based authentication is used, which may allow a malicious attacker to authenticate successfully to various services without valid credentials. Impacted devices and software include the GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Captive Portal, and Prisma Access, including PAN-OS and Panorama web management interfaces.


The vulnerability requires specific configuration settings on PAN-OS to be enabled for successful exploitation. We believe the potential for impact is high, and the required configuration may be common when single-sign-on providers like Okta are used.


All customers leveraging SAML authentication on an impacted software version(s) must take immediate action to implement mitigation steps or upgrade to an updated PAN-OS release.


Advisory Link:


Impacted Configurations

Devices and software leveraging SAML authentication are vulnerable to this issue. Resources that can be protected by SAML-based single-sign-on authentication are:

  • GlobalProtect Gateway
  • GlobalProtect Portal
  • GlobalProtect Clientless VPN
  • Authentication and Captive Portal
  • PAN-OS and Panorama web management interfaces
  • Prisma Access

Devices must leverage SAML authentication to be vulnerable. This issue can not be exploited if SAML is not being used for authentication. This issue can not be exploited if the 'Validate Identity Provider Certificate' option is turned on.


Impacted PAN-OS Software versions:

Versions Affected First Fixed Unaffected
9.1 < 9.1.3 9.1.3 >= 9.1.3
9.0 < 9.0.9 9.0.9 >= 9.0.9
8.1 < 8.1.15 8.1.15 >= 8.1.15
8.0 8.0.*    
7.1     7.1.*

* Indicates all minor releases in PAN-OS version


Mitigation Options

For available mitigation options please see the Knowledge Base article on "Securing your SAML Deployments." Additional steps may be required to invalidate Authentication Override Cookies for existing sessions as discussed in "How To Invalidate Previously Issued GlobalProtect Authentication Override Cookies."


While leveraging the mitigation options posted will reduce the attack surface, customers are advised to treat the need to upgrade all impacted devices globally with a high sense of urgency. The guidance provided below is intended to act as a short-term countermeasure until customer devices can be upgraded. For customers not leveraging SAML authentication as of this time, it is strongly advised to proceed with the upgrade to ensure a vulnerability is not introduced should a SAML integration be added in the future.


Flowchart to help identify potential for impact in existing configurationsFlowchart to help identify potential for impact in existing configurations


Additional Documentation Resources

Advisory Link


Knowledge Base Articles:

Securing your SAML Deployments

Identity Provider Configuration for SAML

How To Invalidate Previously Issued GlobalProtect Authentication Override Cookie

Verifying Prisma Access Configuration


Tips for Identification of Authenticated Users and GlobalProtect Authentication:

How to Check User Access by GlobalProtect for Specific Time Period

How to Run a Report for Previous Logged in GlobalProtect Users



Thanks for taking time to read my blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.


Stay Secure,
Kiwi out!

Register or Sign-in
Top Liked Authors