A couple of weeks ago, security vendors Palo Alto Networks and F5 Networks addressed multiple high-severity vulnerabilities in their networking products, which left tens of thousands of security devices vulnerable to cyberattacks.
Now, the POCs of these vulnerabilities are public and the threat actors are already exploiting them with their hacking techniques.
Vulnerabilities in Palo Alto Devices
According to the security advisory posted by Palo Alto Networks, a critical vulnerability was discovered in the PAN-OS software that runs all Palo Alto Networks next-generation firewall devices.
The vulnerability is tracked as CVE-2020-2021 and has a 10 (critical) CVSSv3 base score.
Type of vulnerability
The authentication bypass vulnerability is present in the SAML authentication of PAN-OS software.
“This issue is applicable only where SAML authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked) in the SAML Identity Provider Server Profile.” reads the company’s security advisory posted by Palo Alto on June 29, 2020.
Impact of this vulnerability in PAN-OS
By exploiting this vulnerability, “an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security Policies.”
“There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users,” Palo Alto advisory explains.
At the time of writing this article, no specific active exploitation attempts have been identified against PAN-OS.
Affected devices versions
The vulnerability only affects devices where the SAML authentication is enabled.
According to Rapid7, in their Project Sonar study, they discovered over 69,000 nodes of the Palo Alto Firewalls globally (patched or unpatched), 28,188 (40.6%) of which are in the U.S.
Here’s a list of PAN-OS versions that are affected with this vulnerability:
- PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
- PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
- PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
- All versions of PAN-OS 8.0 (EOL)
However, the vulnerability does not affect PAN-OS 7.1.
The vulnerability is fixed and Palo Alto has issued patches in the PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.
For more on vulnerability workarounds and mitigation visit here.
Vulnerabilities in F5 Devices
According to the security bulletins (1, 2) posted by F5 Networks, multiple high-severity vulnerabilities were found in the Traffic Management User Interface (TMUI) (also known as Configuration utility) of the F5’s BIG-IP application delivery controller (ADC).
The two vulnerabilities are tracked as:
- Remote Code Execution (RCE): CVE-2020-5902 with CVSSv3 base score of 10
- Cross-Site Scripting (XSS): CVE-2020-5903 with CVSSv3 base score of 7.5
Both the vulnerabilities were discovered by a security researcher named Mikhail Klyuchnikov from Positive Technologies.
Impact of these vulnerabilities in TMUI
- RCE: “This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” reads the security advisory published by F5 on July 1, 2020.
Yesterday, many security researchers have shared PoCs related to exploiting F5 BIG-IP CVE-2020-5902 and how to execute commands remotely on vulnerable BIG-IP devices.
This will invite more and more attacks on organizations and government entities who have these devices unpatched in their IT network.
The US Cyber Command also instructed organizations to patch these vulnerabilities immediately.
URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020
F5’s BIG-IP software and hardware solutions are widely used by government entities, banks, service providers, Fortune 500 firms, and consumer brands such as Microsoft, Facebook, and Oracle.
According to Shodan, more than 8000 BIP-IP ADC devices were found vulnerable to RCE (CVE-2020-5902) last month.
According to Bad Packets, in their honeypot operation, scanned 3,945 F5 BIG-IP servers and detected 1,832 unique IPv4 hosts vulnerable to CVE-2020-5902.
Companies are advised to update their BIG-IP devices with the latest patches.
- Here’s a list of BIG-IP versions that are affected with RCE: 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x
- Here’s a list of BIG-IP versions that are affected with XSS: 12.1.x, 13.1.x, 14.1.x, 15.1.x
- Patched versions of BIG-IP for RCE (CVE-2020-5902): 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
- Patched versions of BIG-IP for XSS (CVE-2020-5903): 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206