Palo Alto Networks issued and then updated an advisory earlier this week categorized as 'Severity 10 - CRITICAL' that impacts their VPN and Firewall products.
If exploited this flaw would permit unauthorized administrative login, allowing attackers full access to install software or conduct malicious activity on the compromised network. Specifically, if Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables unauthorized access to protected network resources.
Palo Alto's Global Protect VPN tool is widely used and likely to be the most significant attack vector. Almost immediately after the advisory was issued, the official Twitter account for the US Cybersecurity and Infrastructure Security Agency warned that the vulnerability was likely to be exploited in the wild by APTs (Advanced Persistent Threats - typically sophisticated hacker groups that are often state sponsored arms of foreign adversaries).
Palo Alto issued a knowledgebase article describing how to check for vulnerable configs and patch accordingly - they also indicated there is no evidence of the flaw yet being exploited, but nonetheless this should be on your zero-day risk watch list. If your organization is affected this should take immediate priority.
If you need some help with your information security challenges, reach out - we're here to help.
