Authentication Bypass Exploited in the Wild
Palo Alto Networks has confirmed that a medium severity authentication bypass vulnerability in PAN OS and Prisma Access is being actively exploited. The flaw, which carries a CVSS score of 7.8, allows attackers to bypass security restrictions and establish unauthorized VPN connections through the GlobalProtect portal or gateway. Successful exploitation can give malicious actors direct access to an organization’s internal network.
The vulnerability specifically affects firewalls where the GlobalProtect portal or gateway is configured with authentication override cookies enabled and a specific certificate configuration is present. Palo Alto Networks updated its initial advisory from May 13 to report limited exploit attempts on unpatched devices that had not applied mitigations.
Impact and Scope of Attacks
Security firm Rapid7 identified successful exploitation across multiple customers, with the earliest attack attempts dating back to May 17 and a second wave occurring on May 21. Both waves are believed to be the work of the same threat actor. In the second wave, researchers observed VPN IP assignments following cookie authentication in two cases, granting the attacker network access, though no further malicious activity was detected in those environments.
Rapid7 emphasized the significant risk posed by an authentication bypass in an edge facing enterprise VPN appliance, urging organizations to apply patches urgently. As temporary mitigations, Palo Alto Networks recommends either disabling the authentication override feature or generating a new certificate to be used exclusively for that feature.
Source: The Hacker News
