During an internal security review, Palo Alto Networks discovered an authentication bypass vulnerability in some versions of their PAN-OS software. The vulnerability can be exploited to gain access to restricted VPN network resources.
PAN‑OS is the software that powers all of Palo Alto Networks firewalls products. The vulnerability affects certain versions of four branches of PAN-OS. On PAN-OS 8.1, it affects versions earlier than PAN-OS 8.1.17; on PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; on PAN-OS 9.1 versions earlier than PAN-OS 9.1.5; and on PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
Even if you are using an affected version, you’re only ath risk if your PAN-OS appliance is set to allow users to authenticate with client certificate authentication.
The authentication bypass issue specifically exists in the GlobalProtect SSL VPN component of PAN-OS.
For the attack to be successful, your appliance must be running one of the older PAN-OS versions mentioned above. Furthermore, you must have configured the appliance to rely solely on certificate-based authentication. In such a scenario, an attacker could gain access to the network bypassing all client certificate checks.
Palo Alto Networks have tagged the issue as high severity, although it isn’t aware of any malicious exploitation of this issue in the wild.
To mitigate the issue, make sure your appliance is running the newest version of the respective PAN-OS branch. You can also configure the GlobalProtect SSL VPN to require all gateway and portal users to authenticate using their credentials instead of relying on certificates.