The U.S. government is warning that foreign nation-state hackers will "likely attempt" to exploit a new "critical"-rated security vulnerability found in a number of widely used Palo Alto Networks' network appliances, which if exploited could allow an attacker to break into a company's network with relative ease.
That's the warning from US Cyber Command, a division of the Dept. of Defense and former sister-agency to the NSA, which said enterprises should patch their vulnerable devices as soon as possible.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
The flaw lies in the software that powers several Palo Alto Networks' firewalls and enterprise VPN appliances, which let employees access their corporate network from home — access that is crucial during the pandemic — while keeping unauthorized users out.
Typically employees must enter their corporate username and password, and often a two-factor code. But the flaw could, under certain conditions, let an attacker take control of one of these devices without needing a password, granting them access to the rest of the network.
Palo Alto said that a fix was pushed out in a software update, but enterprises can also switch off SAML — a way of letting a user log in to the network — to mitigate the flaw.
But the clock is ticking on enterprises getting those fixes installed. VPN appliances and firewalls are a huge target for hackers as they can provide unfettered access to a corporate network.
Last year, researchers found flaws in three corporate VPN appliances — including Palo Alto. Although fixes were quickly rolled out, enterprises that were slow to patch found their networks under attack, prompting Homeland Security's cyber advisory unit to issue an alert. In some cases, hackers used the vulnerability to spread ransomware across the network.
For the time being, Palo Alto says there's no evidence yet of hackers exploiting this vulnerability. But given the immediate risk to networks, companies should patch as soon as possible.