Operating System:

[Appliance]

Published:

15 January 2021

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2021.0181 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0181
                  CVE-2021-3031 and CVE-2021-3032 PAN-OS
                              15 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PAN-OS
Publisher:         Palo Alto
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3032 CVE-2021-3031 

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2021-3031
   https://securityadvisories.paloaltonetworks.com/CVE-2021-3032

Comment: This bulletin contains two (2) Palo Alto security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2021-3031

CVE-2021-3031 PAN-OS: Information exposure in Ethernet data frame construction
(Etherleak)

047910
Severity 4.3 . MEDIUM
Attack Vector ADJACENT_NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE
NVD JSON     
Published 2021-01-13
Updated 2021-01-13
Reference PAN-124681
Discovered in production use

Description

Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000
Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series
firewalls are not cleared before the data frame is created. This leaks a small
amount of random information from the firewall memory into the Ethernet
packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able
to collect potentially sensitive information from these packets.

This issue is also known as Etherleak and is detected by security scanners as
CVE-2003-0001.

This issue impacts:

PAN-OS 8.1 version earlier than PAN-OS 8.1.18;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.12;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.

Product Status

Versions                          Affected                           Unaffected
PAN-OS   None                                                        10.0.*
10.0
PAN-OS   < 9.1.5 on PA-200, PA-220, PA-500, PA-800, PA-2000 Series,  >= 9.1.5
9.1      PA-3000 Series, PA-3200 Series, PA-5200
PAN-OS   < 9.0.12 on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, >= 9.0.12
9.0      PA-3000 Series, PA-3200 Series, PA-5200
PAN-OS   < 8.1.18 on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, >= 8.1.18
8.1      PA-3000 Series, PA-3200 Series, PA-5200

Severity: MEDIUM

CVSSv3.1 Base Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-200 Information Exposure

Solution

This issue is fixed in PAN-OS 8.1.18, PAN-OS 9.0.12, PAN-OS 9.1.5, and all
later PAN-OS versions.

Workarounds and Mitigations

There is no workaround to prevent the information leak in the Ethernet packets;
however, restricting access to the networks mitigates the risk of this issue.

Acknowledgments

This issue was found by a customer of Palo Alto Networks during a security
review.

Timeline

2021-01-13 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------------------------------------------------------------

Palo Alto Networks Security Advisories / CVE-2021-3032

CVE-2021-3032 PAN-OS: Configuration secrets for log forwarding may be logged in
system logs

047910
Severity 4.4 . MEDIUM
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact NONE
Availability Impact NONE
NVD JSON     
Published 2021-01-13
Updated 2021-01-13
Reference PAN-149377
Discovered in production use

Description

An information exposure through log file vulnerability exists in Palo Alto
Networks PAN-OS software where configuration secrets for the "http", "email",
and "snmptrap" v3 log forwarding server profiles can be logged to the
logrcvr.log system log.

Logged information may include up to 1024 bytes of the configuration including
the username and password in an encrypted form and private keys used in any
certificate profiles set for log forwarding server profiles.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.18;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.12;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.4;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Product Status

  Versions   Affected Unaffected
PAN-OS 10.0  < 10.0.1 >= 10.0.1
PAN-OS 9.1   < 9.1.4  >= 9.1.4
PAN-OS 9.0   < 9.0.12 >= 9.0.12
PAN-OS 8.1   < 8.1.18 >= 8.1.18

Required Configuration for Exposure

This issue is only applicable to PAN-OS devices configured to use log
forwarding. You can verify this in the management web interface: Device -> Log
Settings.

Severity: MEDIUM

CVSSv3.1 Base Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-532 Information Exposure Through Log Files

Solution

If the PAN-OS firewall is impacted, then you must clear the configuration file
(/var/log/pan/logrcvr.log). This can be accomplished by running the following
CLI command:

"delete debug-log mp-log file logrcvr.log".

This issue is fixed in PAN-OS 8.1.18, PAN-OS 9.0.12, PAN-OS 9.1.4, PAN-OS
10.0.1, and all later PAN-OS versions.

Workarounds and Mitigations

This issue requires access to PAN-OS log files generated in the system. You can
mitigate the impact of this issue by following best practices for securing the
PAN-OS management interface. Please review the Best Practices for Securing
Administrative Access in the PAN-OS technical documentation, available at
https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

This issue was found by My Tran, Mai Phan, and Claire Zhou of Palo Alto
Networks during internal security testing.

Timeline

2021-01-13 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYADq9+NLKJtyKPYoAQjg2w//QsuG3/W2bZ20q+ZlMY7wrN2xN+cq0TAR
5MoGnd+jG4q4z0kg35NYWkLTVdDPUgrRj59+t4iQIt0A7wVioIatu3YHxmp6dWwT
4l/EBWArf2d9sMXOTvyPg29t5RmylTzhMCiTZB1swTr0o2wALC7PkyNncjAVxh/g
YszupVODj+gBSxHX8cfrihZ0chL4nqxNcrSy8Dj2iJz8ToylDV7KPBGltvVXeKHF
R4FY/gv0mgDPqDUBmFTZEo/yoQqyupJT/IG5dDmYJwzEUqXbwT/FcpLwWxY2Ngqt
MrjzeEcmJc75tUbE3k6ppkGqCbp7NaSRiJQe4XN91Xwt0vv/4oHPg4sPWA/7cYwA
sxPLufwhSRLfywaHL9CSSk2sv7KOZ7pYBeqnb23/XGLL0Q4VO4dIIZdvq0gdjbsS
cWRH8XyB12X+bp9WpjXqmEUCvY7zleL7qqBF7i3eFU9la2AsJUgdblGr04gWYYW6
TS70LGLtPSv6/IonqCVFFlg9F410aKYeYOj0Na9YNFR7cGIUsIIVK2Yv5u6/gLyz
PoFj5PJLajXwu20k+yuhijR47NSq1akYYHEPT0Wwrgm7+U13q1MP/b2zMNIIJSmO
nWBaROcgcJHdSqtrHwfdL/DIOLYDN2hXnO3eT/4+4cD4l36cDzv0ex3JpRx3oWAF
z4vHp7vBjk8=
=2Lvq
-----END PGP SIGNATURE-----