September 27, 2020

CVE-2020-2021: SAML authentication mechanism bypasses vulnerability alert

2 min read

Palo Alto officially issued a risk notification that bypassed the SAML authentication mechanism. The vulnerability number is CVE-2020-2021, and the vulnerability level is high risk.

Security Assertion Markup Language (SAML) is a standard for logging users into the current application based on their conversation in another context.
The SAML authentication mechanism has the threat of authentication bypass. When SAML is turned on and the Validate Identity Provider Certificate option is turned off, unauthenticated remote attackers can bypass the SAML authentication mechanism to access protected resources through this vulnerability.

Vulnerability Detail

There are three pre-exploitation conditions for this vulnerability:

This issue is applicable only where SAML authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked) in the SAML Identity Provider Server Profile.

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile.

“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0.”

Affected version

  • PAN-OS 9.1:<9.1.3
  • PAN-OS 9.0:<9.0.9
  • PAN-OS 8.1:<8.1.15
  • PAN-OS 8.*

Unaffected version

  • PAN-OS >=9.1.3
  • PAN-OS >=9.0.9
  • PAN-OS >=8.1.15


We recommend that users install the latest patches in a timely manner to avoid being hacked.