Fwd: SAML Security Bypass

security-services message

Subject: Fwd: SAML Security Bypass

From: Chet Ensign <chet.ensign@oasis-open.org>

To: "SAML (security-services@lists.oasis-open.org)" <security-services@lists.oasis-open.org>

Date: Mon, 6 Jul 2020 14:42:40 -0400

Members of the SAML TC,Â

Patrick Duruseau forwarded this to me last Thursday and I want to make sure you are aware of it.Â

The actual vulnerability appears to be in the PAN-OS software itself when using a particular configuration of SAML. It doesn't seem to present a vulnerability in the spec itself.Â

But I did want to make sure you were aware of it. If it does seem to involve SAML in any way, feel free to contact me about how to respond.Â

Best,Â

/chetÂÂ

---------- Forwarded message ---------
From: Patrick Durusau <patrick@durusau.net>
Date: Thu, Jul 2, 2020 at 3:53 PM
Subject: SAML Security Bypass
To: Chet Ensign <chet.ensign@oasis-open.org>

Chet,

I know you have been all over this but I ran across this blog today
while searching for something else:

https://www.trustedsec.com/blog/cve-2020-2021-pan-os-saml-security-bypass/

Hope you are having a great week!

Patrick

--
Patrick Durusau
patrick@durusau.net
Technical Advisory Board, OASIS (TAB)
Editor, OpenDocument Format TC (OASIS), Project Editor ISO/IEC 26300
Co-Editor, ISO/IEC 13250-1, 13250-5 (Topic Maps)

Another Word For It (blog): http://tm.durusau.net
Homepage: http://www.durusau.net
Twitter: patrickDurusau

/chetÂ
----------------

Chet Ensign

Chief Technical Community Steward
OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org

Mobile: +1 201-341-1393Â