Man-in-The-Middle (MitM) attack vulnerability affects Cisco and Palo Alto firewall, switches and router affected

Security teams from Cisco and Palo Alto Networks have fixed two critical authentication bypass vulnerabilidades present in their network security solutions. It appears that the flaws exist due to monitoring in the implementation of the Kerberos protocol and its exploitation could allow threat actors to take control of the affected devices using Man-in-The-Middle (MiTM) attacks.

The discovery of both flaws was led by cybersecurity firm Silverfort, which reported that these vulnerabilities are very similar and could exist in other implementations of the affected protocol. Both Palo Alto and Cisco have already fixed vulnerabilities. Below is an analysis of the reported flaws.

Regarding the affected deployment, Kerberos is a popular authentication protocol in enterprise environments. To provide maximum security, the protocol has three authentication steps:

  • The user authenticates to the server
  • The server authenticates to the client
  • The Kerberos Key Distribution Center (KDC) authenticates to the server

Experts mention that KDC authentication on the server is often overlooked, as its implementation complicates configuration requirements. However, if the KDC is not authenticated to the server, protocol security is completely compromised, allowing threat actors to hijack network traffic and authenticate with any password, even an incorrect one.

CVE-2020-2002: This vulnerability resides in PAN-OS, the operating system of Palo Alto Networks security devices and was considered a high-gravity flaw. The flaw exists in PAN-OS 7.1 versions earlier than 7.1.26, PANOS 8.1 earlier than 8.1.13, PAN-OS 9.0 earlier than 9.0.6 and in all versions of PAN-OS 8.0, as it has already reached the end of its support.   

According to the report, there is an authentication bypass via an impersonation vulnerability in the authentication daemon, so PAN-OS cannot verify the integrity of the Kerberos Key Distribution Center (KDC) before authenticating users. A threat actor could use a MiTM attack to intercept communications between the operating system and the KDC and log in as an administrator.

CVE-2020-3125: This is a similar vulnerability that exists in Cisco Adaptive Security Appliance (ASA) software. Devices running Cisco ASA software are only affected if they have Kerberos authentication configured for VPN or access to local devices.

The Cisco Security Alert includes instructions for exposed deployment administrators to verify whether Kerberos authentication is enabled. The company also warns that correcting this issue requires some configuration changes, even after the software update.