CVE-2020-2021 Palo Alto Networks PAN-OS: Authentication Bypass in SAML Authentication Vulnerability

By Fortra's Digital Defense

CVE-2020-2021 Palo Alto Networks PAN-OS

A critical severity authentication bypass vulnerability in certain configurations of Palo Alto Networks PAN-OS devices using Security Assertion Markup Language (SAML) authentication.

On June 29, 2020, Palo Alto issued a security advisory for PAN-OS versions with SAML authentication enabled and the 'Validate Identity Provider Certificate' option disabled (unchecked). Improper verification of signatures in PAN-OS SAML authentication could allow an unauthenticated network-based attacker to access protected resources.

Affected versions of PAN-OS are:

  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
  • PAN-OS 9.0 versions earlier than PAN-OS 9.09
  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.15
  • All versions of PAN-OS 8.0 (EOL)
  • This issue does not affect PAN-OS 7.1

This issue cannot be exploited if SAML is not used for authentication.

This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile.

Palo Alto Networks has provided patch for this vulnerability and has indicated they are not aware of any malicious attempts to exploit this vulnerability at this time.

Reference the Palo Alto Security Advisory ( for additional details.

Digital Defense Vulnerability Research Team is developing a check for the condition for Frontline.Cloud.

Share This