During an internal security review, Palo Alto Networks discovered an authentication bypass vulnerability (opens in new tab) in some versions of their PAN-OS software. The vulnerability can be exploited to gain access to restricted VPN (opens in new tab) network resources.
PAN‑OS is the software that powers all of Palo Alto Networks (opens in new tab) firewalls products. The vulnerability affects certain versions of four branches of PAN-OS. On PAN-OS 8.1, it affects versions earlier than PAN-OS 8.1.17; on PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; on PAN-OS 9.1 versions earlier than PAN-OS 9.1.5; and on PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
Even if you are using an affected version, you’re only ath risk if your PAN-OS appliance is set to allow users to authenticate with client certificate authentication.
- Here are some of the best free VPN services (opens in new tab)
- Check out these best VPN routers (opens in new tab)
- Extend your network with these best WiFi extenders (opens in new tab)
The authentication bypass issue specifically exists in the GlobalProtect SSL VPN component of PAN-OS.
For the attack to be successful, your appliance must be running one of the older PAN-OS versions mentioned above. Furthermore, you must have configured the appliance to rely solely on certificate-based authentication. In such a scenario, an attacker could gain access to the network bypassing all client certificate checks.
Palo Alto Networks have tagged the issue as high severity, although it isn’t aware of any malicious exploitation of this issue in the wild.
To mitigate the issue, make sure your appliance is running the newest version of the respective PAN-OS branch. You can also configure the GlobalProtect SSL VPN to require all gateway and portal users to authenticate using their credentials instead of relying on certificates.
- Use one of our recommended best business VPNs (opens in new tab)