US Cyber Command highlights Palo Alto Networks security patch, citing foreign espionage

Written by

U.S. cyber officials are urging American companies and individuals who rely on a popular security product to update their systems immediately, before foreign hackers can exploit a flaw in the technology to steal protected information.

The Department of Homeland Security and U.S. Cyber Command said Monday that a “critical” flaw in technology from Palo Alto Networks, a multinational security firm based in California, could enable attackers “with network access” to obtain sensitive information. The flaw exists in PAN-OS, the operating system on firewalls and corporate virtual private network application products.

Cyber Command said in a tweet that advanced hacking groups “will likely attempt exploit soon.”

Palo Alto Networks issued a patch on Monday for the security flaw, the start of a weeks or months-long process in which corporate security teams will start updating their technologies to fend off hacking groups.

The software flaw, officially dubbed CVE-2020-2021, was designated a 10.0 on the severity scale in the U.S. National Institute of Science and Technology’s National Vulnerability Database.

The bug is so critical in part because it requires few high-level technical skills to exploit, and would allow for an authentication bypass, meaning hackers can access affected devices without inputting proper username and password credentials. The issue affects Palo Alto Networks device users who rely on a verification technique called SAML authentication.

U.S. Cyber Command recently has warned of unrelated malicious activity from suspected North Korean hackers, and has sought to highlight Russian information operations aimed at propagating conspiracy theories in the U.S.

Hackers often will aim to exploit vulnerabilities before a patch is available, as they did when the BlueKeep security vulnerability in Microsoft’s Remote Desktop Protocol emerged in 2019. In that case, even when a security fix was released, the issue was so severe that some security teams told CyberScoop they were unable to vet the security update, and thus ensure it would function properly, before implementing the fix.