CVE-2020-2021: PAN-OS SAML Auth Bypass Vulnerability

CVE-2020-2021 Overview

CVE-2020-2021 is a critical authentication bypass vulnerability in Palo Alto Networks PAN-OS affecting Security Assertion Markup Language (SAML) authentication. When SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures allows an unauthenticated network-based attacker to access protected resources. This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.

Critical Impact
An unauthenticated attacker with network access can bypass SAML authentication to gain administrative access to PAN-OS and Panorama web interfaces, or access protected resources through GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, and Prisma Access.

Affected Products

PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
PAN-OS 9.0 versions earlier than PAN-OS 9.0.9
PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
All versions of PAN-OS 8.0 (End of Life)
PA-Series and VM-Series next-generation firewalls
Panorama web interfaces
Prisma Access

Discovery Timeline

2020-06-29 - CVE-2020-2021 published to NVD
2025-11-04 - Last updated in NVD database

Technical Details for CVE-2020-2021

Vulnerability Analysis

This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) stems from a fundamental flaw in how PAN-OS validates SAML authentication responses when the 'Validate Identity Provider Certificate' option is disabled. SAML relies on cryptographic signatures to verify that authentication assertions originate from trusted identity providers. When certificate validation is disabled, the system fails to properly verify these signatures, creating a critical authentication bypass condition.

The vulnerability affects multiple protected resources including GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS firewalls (PA-Series, VM-Series), Panorama web interfaces, and Prisma Access. The impact varies by affected component—for web interfaces, attackers can achieve full administrative access, while for VPN and portal resources, attackers can access protected resources based on configured policies.

Root Cause

The root cause is improper verification of cryptographic signatures in the SAML authentication implementation. When administrators disable the 'Validate Identity Provider Certificate' option in the SAML Identity Provider Server Profile configuration, PAN-OS does not adequately verify that SAML assertions are authentically signed by the trusted identity provider. This allows attackers to forge or manipulate SAML responses to gain unauthorized access.

Attack Vector

The attack requires network access to the vulnerable PAN-OS server and exploits the SAML authentication endpoint. An attacker can craft malicious SAML responses that bypass authentication controls when certificate validation is disabled. The attack is unauthenticated and does not require user interaction, making it highly exploitable in exposed environments.

For GlobalProtect and Captive Portal scenarios, successful exploitation grants access to protected resources according to configured authentication and security policies. For PAN-OS and Panorama web interfaces, exploitation allows the attacker to log in as an administrator and perform any administrative action, potentially leading to complete compromise of the firewall infrastructure.

The vulnerability cannot be exploited if:

SAML is not used for authentication
The 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile

Detection Methods for CVE-2020-2021

Indicators of Compromise

Unexpected or anomalous SAML authentication events in PAN-OS logs, particularly successful authentications from unusual source IPs
Administrative actions performed by accounts that should not have direct access or during unusual hours
Configuration changes to SAML Identity Provider Server Profiles or authentication policies
Unexplained changes to security policies, routing configurations, or firewall rules
Evidence of reconnaissance or lateral movement originating from the firewall management interface

Detection Strategies

Monitor PAN-OS authentication logs for SAML-based authentication events, correlating with expected user behavior and source networks
Implement alerting for administrative logins from non-standard management networks or unexpected geographic locations
Review configuration change logs for modifications to SAML settings or authentication profiles
Deploy network monitoring to detect unexpected traffic patterns to management interfaces
Correlate firewall logs with identity provider logs to identify discrepancies in authentication claims

Monitoring Recommendations

Enable verbose logging for SAML authentication events on all affected PAN-OS devices
Implement centralized log collection using Panorama or SIEM integration for real-time analysis
Configure alerts for any administrative configuration changes, especially to authentication settings
Monitor network traffic to management interfaces and SAML endpoints for anomalous patterns
Establish baseline behavior for administrative access and alert on deviations

How to Mitigate CVE-2020-2021

Immediate Actions Required

Verify SAML configuration on all PAN-OS devices and ensure the 'Validate Identity Provider Certificate' option is enabled (checked) in all SAML Identity Provider Server Profiles
Upgrade to patched versions: PAN-OS 9.1.3 or later, PAN-OS 9.0.9 or later, or PAN-OS 8.1.15 or later
Migrate off PAN-OS 8.0 immediately as it is end-of-life with no available patch
Restrict network access to management interfaces to trusted management networks only
Review administrative access logs for evidence of compromise and investigate any suspicious activity

Patch Information

Palo Alto Networks has released security patches addressing this vulnerability. Organizations should upgrade to the following minimum versions:

PAN-OS 9.1: Upgrade to version 9.1.3 or later
PAN-OS 9.0: Upgrade to version 9.0.9 or later
PAN-OS 8.1: Upgrade to version 8.1.15 or later
PAN-OS 8.0: No patch available - migrate to supported version immediately

For complete patch information and download links, refer to the Palo Alto Networks Security Advisory. This vulnerability is tracked in CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply remediations.

Workarounds

Enable the 'Validate Identity Provider Certificate' option in all SAML Identity Provider Server Profiles - this is the primary mitigation
If SAML authentication cannot be immediately secured, consider temporarily disabling SAML authentication and using alternative authentication methods
Restrict network access to PAN-OS and Panorama management interfaces to dedicated management networks using firewall rules
Implement additional access controls such as VPN requirements or jump hosts for administrative access
Consider disabling GlobalProtect Portal and Gateway SAML authentication until patches can be applied

bash

# Verify SAML configuration via CLI
show config running | match "validate-idp-certificate"

# Restrict management interface access (example)
set deviceconfig system permitted-ip <management-network-cidr>