During an internal security review, Palo Alto Networks discovered an authentication bypass vulnerability in certain versions of its PAN-OS software. The vulnerability can be exploited to access restricted VPN network resources. PAN-OS is the software that powers all of Palo Alto Networks' firewall products. The vulnerability affects some versions of four branches of PAN-OS. In PAN-OS 8.1, it affects versions prior to PAN-OS 8.1.17; on versions of PAN-OS 9.0 prior to PAN-OS 9.0.11; in versions of PAN-OS 9.1 prior to PAN-OS 9.1.5; and in versions of PAN-OS 10.0 prior to PAN-OS 10.0.1. Even if you are using an affected version, you are only at risk if your PAN-OS device is configured to allow users to authenticate with client certificate authentication.
Stay informed
The authentication bypass problem exists specifically in the PAN-OS GlobalProtect SSL VPN component. For the attack to be successful, your device must be running one of the earlier versions of PAN-OS mentioned above. Also, you must have configured the device to rely on certificate-based authentication only. In such a scenario, an attacker could gain access to the network by bypassing all client certificate checks. Palo Alto Networks has rated the issue as high severity, although it is not aware of any malicious exploitation of this issue in the wild. To mitigate the issue, make sure your device is running the latest version of the respective PAN-OS branch. You can also configure GlobalProtect SSL VPN to require all portal and gateway users to authenticate with their credentials instead of relying on certificates.