Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1268
CVE-2021-3036, CVE-2021-3037 PAN-OS: Information Disclosure vulnerability
15 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PAN-OS
Publisher: Palo Alto
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3037 CVE-2021-3036
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/CVE-2021-3036
https://securityadvisories.paloaltonetworks.com/CVE-2021-3037
Comment: This bulletin contains two (2) Palo Alto Networks security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Palo Alto Networks Security Advisories / CVE-2021-3036
CVE-2021-3036 PAN-OS: Administrator secrets are logged in web server logs when
using the PAN-OS XML API incorrectly
047910
Severity 4.4 . MEDIUM
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact NONE
Availability Impact NONE
NVD JSON
Published 2021-04-14
Updated 2021-04-14
Reference PAN-154114
Discovered externally
Description
An information exposure through log file vulnerability exists in Palo Alto
Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in
cleartext to the web server logs when the API is used incorrectly.
This vulnerability applies only to PAN-OS appliances that are configured to use
the PAN-OS XML API and exists only when a client includes a duplicate API
parameter in API requests.
Logged information includes the cleartext username, password, and API key of
the administrator making the PAN-OS XML API request.
Product Status
Versions Affected Unaffected
PAN-OS 10.0 < 10.0.1 >= 10.0.1
PAN-OS 9.1 < 9.1.6 >= 9.1.6
PAN-OS 9.0 < 9.0.12 >= 9.0.12
PAN-OS 8.1 < 8.1.19 >= 8.1.19
Required Configuration for Exposure
This vulnerability applies only to PAN-OS appliances that are configured to use
the PAN-OS XML API.
Severity: MEDIUM
CVSSv3.1 Base Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-532 Information Exposure Through Log Files
Solution
This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.12, PAN-OS 9.1.6, PAN-OS
10.0.1, and all later PAN-OS versions.
After you upgrade the PAN-OS appliance, you must change the passwords and
generate a new API key for all impacted PAN-OS administrators.
Workarounds and Mitigations
You must change the passwords and generate a new API key for all impacted
PAN-OS administrators. Confirm that there aren't any PAN-OS XML API requests
that repeat API parameters in the request.
Acknowledgments
Palo Alto Networks thanks David Tien of Cyber Risk for discovering and
reporting this issue.
Timeline
2021-04-14 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3037
CVE-2021-3037 PAN-OS: Secrets for scheduled configuration exports are logged in
system logs
047910
Severity 2.3 . LOW
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE
NVD JSON
Published 2021-04-14
Updated 2021-04-14
Reference PAN-131474
Discovered externally
Description
An information exposure through log file vulnerability exists in Palo Alto
Networks PAN-OS software where the connection details for a scheduled
configuration export are logged in system logs.
Logged information includes the cleartext username, password, and IP address
used to export the PAN-OS configuration to the destination server.
Product Status
Versions Affected Unaffected
PAN-OS 10.0 None >= 10.0.0
PAN-OS 9.1 < 9.1.4 >= 9.1.4
PAN-OS 9.0 < 9.0.13 >= 9.0.13
PAN-OS 8.1 < 8.1.19 >= 8.1.19
Required Configuration for Exposure
This issue is only applicable to PAN-OS devices that have been configured to
use scheduled configuration exports at any time.
Severity: LOW
CVSSv3.1 Base Score: 2.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-534 Information Exposure Through Debug Log Files
Solution
This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.4, and all
later PAN-OS versions.
After you upgrade the PAN-OS appliance, you must change the connection details
used in scheduled configuration exports. You should also change the credentials
on the destination server that are used to export the configuration.
Workarounds and Mitigations
Acknowledgments
This issue was found by a customer of Palo Alto Networks during a security
review.
Timeline
2021-04-14 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHew3eNLKJtyKPYoAQg1yRAAoH/rDF4/0XyB0hAgxQEOJ91QCzh0AY2i
pr6jpfd8jd9/NhSHTmJwkmiZxzVQ5GkH9nqqOq2LXcgBuYc0ntw1C0u3PyW9Us4K
1VTCeJvlGmeRE7r56b0tLYZo/BMl+28XCGINdqeRT81Sxq2udpNqiOLXcdl2tC2u
jRW57OOrYG0xKI9fyPvjE/9gnLOfwOctm6IGmxcQXNQ3XlIuOr0zROEz36rjWAZk
SqUD8zo0/kedVoHVMEXINCrjT5QrA0T0xp+6niCbyKicB8ZaZoR838bN54YIdZMI
o0/YP1REYTEFvi8SEBbyVwiE9YQ9Sj1yX3SA3NivrMKPEPEYjGz5OmqRIzqfvitV
Rpe3nb0UIbBRpQdmOrHcOH256x9dR5UMrUvms7mQ5Owyh+3i4pqJaEL/GBI4U8xt
0B76Kx6Dy/R3Sw713+J36yCc1/Gph9IOkhGDFOMi/E+MKwN/ewortJqlwEIuhWqX
DRkjVFcJ8tmQp6GInob/KOCFwlN55XobhakNGuE4u/fYDva9zZP5WGCPI+Zm7NWh
oKmxese3W+vK+iptCnmOHG967oX5dGoejG2mz8pvFiBYhkvd2doCt0Y2m0/82nVE
Y9pW0gn2MC/RxPYPLtzO7g5qFSPke/v8Bi+SlS1DFFtOsmSLB8AGEF7XTUv59ody
HB8AvQ53CG0=
=HQ6J
-----END PGP SIGNATURE-----