2 critical failures of the month of May

This week, the Cisco and Palo Alto Networks security teams have corrected two critical authentication bypass vulnerabilities, which is a flaw that could allow an attacker to access and modify operational aspects of the system in question. This could lead to other attacks such as denial of service (DDoS) or the own deactivation of other functionalities of the attacked system.

However, in this case, these flaws could allow the attacker a privilege scale and take control of affected devices through MiTM (Man in The Middle) attacks, which is a method with which a cybercriminal intervenes in traffic of data from two linked parties, posing as any of them. The basic function of this attack is to read, insert and modify data at will between said parties.

It was the security firm Silverfort that discovered them, and reported the fact that they are very similar to each other, which suggests that there may be other implementations of the affected protocol. However, both flaws have already been corrected, Cisco corrected it earlier this month, while Palo Alto did so this week. Everything indicates that these flaws exist due to the implementation of Kerberos, which is a computer network authentication protocol created by MIT that allows two computers on an insecure network to prove their identity to each other securely.

Graphic description of a MiTM attack

On the one hand, we have the vulnerability registered as CVE-2020-2002, which is what affects the Palo Alto networks. It is considered serious, and resides specifically in the operating system of Palo Alto Networks security devices. This flaw affects versions:

• PAN-OS 7.1 versions prior to 7.1.26
• PAN-OS 8.1 versions prior to 8.1.13
• PAN-OS 9.0 versions prior to 9.0.6
• All versions of PAN-OS 8.0

Explaining this flaw in a simple way, let’s first consider what needs to happen for Kerberos to work:

1) The user authenticates to the server.
2) The server authenticates to the client.
3) The KDC also does it on the server

Now what seems to happen is that KDC authentication to the server is often bypassed. This is likely to save you hassle with configuration requirements. However, exactly what happens is that the complete security of the protocol is compromised when the KDC does not authenticate itself on the server, allowing the cybercriminal to authenticate to PAN-OS with any password, whether or not it is the correct one.

As a summary, we can say that in what are the exploitation metrics, which is what reflects the context through which the exploitation of vulnerability is possible, it is through the network, which implies that the affected component is linked to the network and the attacker’s path is through OSI layer 3. And both the intervention of the attacked user, as well as the privileges required to execute the attack, are null. There is no type of privilege prior to having in hand, the affected people do not need to do anything for this to take effect, this makes this problem critical.

Therefore, both the confidentiality impact and the integrity and availability impact are considered “High”.

CVSS Base Score: 8.1
Impact Subscore: 5.9
Exploitability Subscore: 2.2
CVSS Temporal Score: NA
CVSS Environmental Score: NA
Modified Impact Subscore: NA
Overall CVSS Score: 8.1

Similarly, there is a vulnerability identified as CVE-2020-3125, which was finally patched on May 6, and which affects Cisco Adaptive Security Devices (ASA), if these devices use Kerberos authentication configured for VPN or access. to local devices.

Cisco issued that contains instructions for administrators to verify whether the verification of said protocol is configured or not, as well as a table with fixed versions of Cisco ASA. In any case, they have said that it is required to make certain configuration changes, even after software updates.

Therefore, it should be noted that this failure has exactly the same impact as its peer discovered in the same month, both in its exploitability metrics and in its impact metrics. It has received a base CVSS score of 8.1 and it is not for less. However, like its sister vulnerability, the complexity of the attack depends on conditions that are beyond the control of the person carrying it out, in both cases specific conditions are required, and in addition, the attacker invests a considerable amount of effort in preparation and / or execution to make it successful.

CVSS Base Score: 8.1
Impact Subscore: 5.9
Exploitability Subscore: 2.2
CVSS Temporal Score: NA
CVSS Environmental Score: NA
Modified Impact Subscore: NA
Overall CVSS Score: 8.1

The affected companies have taken quick action in solving these 2 problems, and are closely following any kind of evolution of them. They are critical failures, regardless of whether their attack complexity is high or not, both present extremely high risks for the integrity of the systems involved. Monitoring and keeping our software updated is an essential action and more than recommended.

Read about our Security services~