What is CVE-2020-2050?

CVE-2020-2050 is an authentication bypass vulnerability in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software.

How severe is CVE-2020-2050?

CVE-2020-2050 has a severity value of 8.2, which is considered high.

Which software versions are affected by CVE-2020-2050?

Palo Alto Networks PAN-OS software versions 8.1.0 to 8.1.17, 9.0.0 to 9.0.11, 9.1.0 to 9.1.5, and 10.0.0 to 10.0.1 are affected by CVE-2020-2050.

How does CVE-2020-2050 work?

CVE-2020-2050 allows an attacker to bypass all client certificate checks with an invalid certificate, enabling them to authenticate as any user and gain unrestricted access to restricted resources.

How can I fix CVE-2020-2050?

To fix CVE-2020-2050, it is recommended to update Palo Alto Networks PAN-OS software to a version that is not affected by the vulnerability.

Vulnerability/
CVE-2020-2050

high

8.2

CWE

287 285

12/11/2020

17/9/2024

CVE-2020-2050: PAN-OS: Authentication bypass vulnerability in GlobalProtect SSL VPN client certificate verification

First published: Thu Nov 12 2020(Updated: )

An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication. Impacted features that use SSL VPN with client certificate verification are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Credit: psirt@paloaltonetworks.com

Affected Software	Affected Version	How to fix
Palo Alto Networks PAN-OS	>=8.1.0<8.1.17
Palo Alto Networks PAN-OS	>=9.0.0<9.0.11
Palo Alto Networks PAN-OS	>=9.1.0<9.1.5
Palo Alto Networks PAN-OS	>=10.0.0<10.0.1

Remedy

This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions.

Never miss a vulnerability like this again

Reference Links

https://security.paloaltonetworks.com/CVE-2020-2050

Frequently Asked Questions

What is CVE-2020-2050?
CVE-2020-2050 is an authentication bypass vulnerability in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software.
How severe is CVE-2020-2050?
CVE-2020-2050 has a severity value of 8.2, which is considered high.
Which software versions are affected by CVE-2020-2050?
Palo Alto Networks PAN-OS software versions 8.1.0 to 8.1.17, 9.0.0 to 9.0.11, 9.1.0 to 9.1.5, and 10.0.0 to 10.0.1 are affected by CVE-2020-2050.
How does CVE-2020-2050 work?
CVE-2020-2050 allows an attacker to bypass all client certificate checks with an invalid certificate, enabling them to authenticate as any user and gain unrestricted access to restricted resources.
How can I fix CVE-2020-2050?
To fix CVE-2020-2050, it is recommended to update Palo Alto Networks PAN-OS software to a version that is not affected by the vulnerability.

agent/weakness
agent/type
agent/softwarecombine
agent/author
agent/remedy
agent/references
agent/severity
agent/title
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/paloaltonetworks
canonical/palo alto networks pan-os
version/palo alto networks pan-os/8.1.0
version/palo alto networks pan-os/9.0.0
version/palo alto networks pan-os/9.1.0
version/palo alto networks pan-os/10.0.0