Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3834
PAN-OS: Multiple vulnerabilities
11 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PAN-OS
Publisher: Palo Alto
Operating System: Network Appliance
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3064 CVE-2021-3063 CVE-2021-3062
CVE-2021-3061 CVE-2021-3060 CVE-2021-3059
CVE-2021-3058 CVE-2021-3056
Reference: ESB-2021.3784
ESB-2021.2960
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/CVE-2021-3056
https://securityadvisories.paloaltonetworks.com/CVE-2021-3058
https://securityadvisories.paloaltonetworks.com/CVE-2021-3059
https://securityadvisories.paloaltonetworks.com/CVE-2021-3060
https://securityadvisories.paloaltonetworks.com/CVE-2021-3061
https://securityadvisories.paloaltonetworks.com/CVE-2021-3062
https://securityadvisories.paloaltonetworks.com/CVE-2021-3063
https://securityadvisories.paloaltonetworks.com/CVE-2021-3064
Comment: This bulletin contains eight (8) Palo Alto security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Palo Alto Networks Security Advisories / CVE-2021-3056
CVE-2021-3056 PAN-OS: Memory Corruption Vulnerability in GlobalProtect
Clientless VPN During SAML Authentication
047910
Severity 8.8 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-149501
Discovered internally
Description
A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect
Clientless VPN enables an authenticated attacker to execute arbitrary code with
root user privileges during SAML authentication.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.9;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted
by this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 Preferred Innovation
PAN-OS 10.1 None 10.1.*
PAN-OS 10.0 < 10.0.1 >= 10.0.1
PAN-OS 9.1 < 9.1.9 >= 9.1.9
PAN-OS 9.0 < 9.0.14 >= 9.0.14
PAN-OS 8.1 < 8.1.20 >= 8.1.20
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with the
Clientless VPN feature and SAML authentication enabled for GlobalProtect
Portal.
Severity: HIGH
CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-120 Buffer Overflow
Solution
This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS
10.0.1, and all later PAN-OS versions.
This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access
versions.
Workarounds and Mitigations
Enable signatures for Unique Threat ID 91585 on traffic processed by the
firewall to block attacks against CVE-2021-3056.
Acknowledgments
This issue was found by Nicholas Newsom of Palo Alto Networks during an
internal security review.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3058
CVE-2021-3058 PAN-OS: OS Command Injection Vulnerability in Web Interface XML
API
047910
Severity 8.8 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-176653
Discovered externally
Description
An OS command injection vulnerability in the Palo Alto Networks PAN-OS web
interface enables an authenticated administrator with permissions to use XML
API the ability to execute arbitrary OS commands to escalate privileges.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
This issue does not impact Prisma Access firewalls.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 None all
PAN-OS 10.1 < 10.1.3 >= 10.1.3
PAN-OS 10.0 < 10.0.8 >= 10.0.8
PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2
PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3
PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1
Required Configuration for Exposure
This vulnerability is only applicable to PAN-OS firewalls configured to use the
XML API.
Severity: HIGH
CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-78 OS Command Injection
Solution
This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2,
PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
Workarounds and Mitigations
Enable signatures for Unique Threat ID 91715 on traffic processed by the
firewall to block attacks against CVE-2021-3058.
This issue requires the attacker to have authenticated access to the PAN-OS web
interface. You can mitigate the impact of this issue by following best
practices for securing the PAN-OS web interface. Please review the Best
Practices for Securing Administrative Access in the PAN-OS technical
documentation at https://docs.paloaltonetworks.com/best-practices.
Acknowledgments
Palo Alto Networks thanks CJ, an external security researcher, for discovering
and reporting this issue.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3059
CVE-2021-3059 PAN-OS: OS Command Injection Vulnerability When Performing
Dynamic Updates
047910
Severity 8.1 . HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-176618
Discovered externally
Description
An OS command injection vulnerability in the Palo Alto Networks PAN-OS
management interface exists when performing dynamic updates. This vulnerability
enables a man-in-the-middle attacker to execute arbitrary OS commands to
escalate privileges.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access
2.1 Innovation firewalls are impacted by this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 Preferred, Innovation
PAN-OS 10.1 < 10.1.3 >= 10.1.3
PAN-OS 10.0 < 10.0.8 >= 10.0.8
PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2
PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3
PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations that receive
dynamic updates. You can verify that your firewall receives dynamic updates at
'Device Deployment > Dynamic Updates' in the web interface.
Severity: HIGH
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-78 OS Command Injection
Solution
This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2,
PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access
versions.
Workarounds and Mitigations
You can disable scheduled dynamic updates for the firewall at 'Device
Deployment > Dynamic Updates' in the web interface. Choosing not to receive
dynamic updates will minimize your exposure to this vulnerability until you
upgrade the PAN-OS firewall to a fixed version.
Acknowledgments
Palo Alto Networks thanks CJ, an external security researcher, for discovering
and reporting this issue.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3060
CVE-2021-3060 PAN-OS: OS Command Injection in Simple Certificate Enrollment
Protocol (SCEP)
047910
Severity 8.1 . HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-176661
Discovered externally
Description
An OS command injection vulnerability in the Simple Certificate Enrollment
Protocol (SCEP) feature of PAN-OS software allows an unauthenticated
network-based attacker with specific knowledge of the firewall configuration to
execute arbitrary code with root user privileges. The attacker must have
network access to the GlobalProtect interfaces to exploit this issue.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1
Innovation firewalls are impacted by this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 Preferred, Innovation
PAN-OS 10.1 < 10.1.3 >= 10.1.3
PAN-OS 10.0 < 10.0.8 >= 10.0.8
PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2
PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3
PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1
Required Configuration for Exposure
This issue is applicable only to GlobalProtect portal and gateway
configurations that are configured with a SCEP profile and when the default
master key was not changed.
You can determine if your configuration has a SCEP profile by selecting 'Device
> Certificate Management > SCEP' from the web interface.
Note: The SCEP profile does not need to be enabled for the firewall to be at
risk; it need only exist in the configuration to be a risk even if disabled.
You know you are using the default master key when the master key was not
explicitly configured on the firewall. Review the master key configuration by
selecting 'Device > Master Key and Diagnostics' from the web interface and
change the key if needed.
Severity: HIGH
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue at
time of publication. However, we expect exploits for this issue to become
publicly available.
Weakness Type
CWE-78 OS Command Injection
Solution
This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2,
PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access
versions.
Workarounds and Mitigations
Changing the master key for the firewall prevents exploitation of this
vulnerability. This is a security best practice for both PAN-OS and Prisma
Access customers.
Documentation for configuring the master key is available at: https://
docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/
configure-the-master-key.html. Please note the special requirements for
high-availability (HA) and Panorama-managed environments.
Additional information is available for Prisma Access customers at: https://
docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/
prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/
get-started-with-prisma-access-overview.html.
Remove all configured SCEP profiles from the firewall to completely eliminate
any risk of exploitation related to this issue. You can view any existing SCEP
profiles configured on the firewall by selecting 'Device > Certificate
Management > SCEP' from the web interface.
This issue requires the attacker to have network access to the GlobalProtect
interface.
In addition to these workarounds, you should enable signatures for Unique
Threat ID 91526 on traffic destined for GlobalProtect interfaces to further
mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not
necessary to detect attacks against this issue.
Acknowledgments
Palo Alto Networks thanks CJ, an external security researcher, for discovering
and reporting this issue.
Frequently Asked Questions
Q. Are there any indicators of compromise or breach related to this
vulnerability?
No. Due to the nature of the vulnerability, there is no reliable indicator
of compromise.
Q. Is this issue a remote code execution (RCE) vulnerability?
This issue is an RCE vulnerability. This issue enables an unauthenticated
network-based attacker with specific knowledge of the firewall
configuration to execute arbitrary code with root user privileges.
Q. Has this issue been exploited in the wild?
No evidence of active exploitation was identified at the time this advisory
was published.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3061
CVE-2021-3061 PAN-OS: OS Command Injection Vulnerability in the Command Line
Interface (CLI)
047910
Severity 6.4 . MEDIUM
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-176655 and PAN-158334
Discovered externally
Description
An OS command injection vulnerability in the Palo Alto Networks PAN-OS command
line interface (CLI) enables an authenticated administrator with access to the
CLI to execute arbitrary OS commands to escalate privileges.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by
this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 Preferred, Innovation
PAN-OS 10.1 < 10.1.3 >= 10.1.3
PAN-OS 10.0 < 10.0.8 >= 10.0.8
PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2
PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3
PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1
Severity: MEDIUM
CVSSv3.1 Base Score: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious attempts to exploit this
vulnerability.
Weakness Type
CWE-78 OS Command Injection
Solution
This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2,
PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access
versions.
Workarounds and Mitigations
This issue requires the attacker to have authenticated access to the PAN-OS
CLI. You can mitigate the impact of this issue by following best practices for
securing PAN-OS software. Please review the Best Practices for Securing
Administrative Access in the PAN-OS technical documentation at https://
docs.paloaltonetworks.com/best-practices.
Acknowledgments
Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott
from Palo Alto Networks for discovering and reporting this issue.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3062
CVE-2021-3062 PAN-OS: Improper Access Control Vulnerability Exposing AWS
Instance Metadata Endpoint to GlobalProtect Users
047910
Severity 8.1 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact NONE
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-164422
Discovered externally
Description
An improper access control vulnerability in PAN-OS software enables an attacker
with authenticated access to GlobalProtect portals and gateways to connect to
the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon
AWS.
Exploitation of this vulnerability enables an attacker to perform any
operations allowed by the EC2 role in AWS.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls.
Prisma Access customers are not impacted by this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 None all
PAN-OS 10.1 None 10.1.* on VM-Series
PAN-OS 10.0 < 10.0.8 on VM-Series >= 10.0.8 on VM-Series
PAN-OS 9.1 < 9.1.11 on VM-Series >= 9.1.11 on VM-Series
PAN-OS 9.0 < 9.0.14 on VM-Series >= 9.0.14 on VM-Series
PAN-OS 8.1 < 8.1.20 on VM-Series >= 8.1.20 on VM-Series
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with a
GlobalProtect portal or gateway enabled. You can verify whether you have a
GlobalProtect portal or gateway configured by checking for entries in 'Network
> GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' on the
web interface.
Severity: HIGH
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious attempts to exploit this
vulnerability.
Weakness Type
CWE-284 Improper Access Control
Solution
This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS
10.0.8, and all later PAN-OS versions
Workarounds and Mitigations
There are no known workarounds for this issue.
Acknowledgments
Palo Alto Networks thanks Matthew Flanagan of Computer Systems Australia (CSA)
for discovering and reporting this issue.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3063
CVE-2021-3063 PAN-OS: Denial-of-Service (DoS) Vulnerability in GlobalProtect
Portal and Gateway Interfaces
047910
Severity 7.5 . HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-180032
Discovered externally
Description
An improper handling of exceptional conditions vulnerability exists in Palo
Alto Networks GlobalProtect portal and gateway interfaces that enables an
unauthenticated network-based attacker to send specifically crafted traffic to
a GlobalProtect interface that causes the service to stop responding. Repeated
attempts to send this request result in denial of service to all PAN-OS
services by restarting the device and putting it into maintenance mode.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.21;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
Prisma Access customers are not impacted by this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 None all
PAN-OS 10.1 < 10.1.3 >= 10.1.3
PAN-OS 10.0 < 10.0.8-h4 >= 10.0.8-h4
PAN-OS 9.1 < 9.1.11-h3 >= 9.1.11-h3
PAN-OS 9.0 < 9.0.14-h4 >= 9.0.14-h4
PAN-OS 8.1 < 8.1.21 >= 8.1.21
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with a
GlobalProtect portal or gateway enabled. You can verify whether you have a
GlobalProtect portal or gateway configured by checking for entries in 'Network
> GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the
web interface.
Severity: HIGH
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious attempts to exploit this
vulnerability.
Weakness Type
CWE-755 Improper Handling of Exceptional Conditions
Solution
This issue is fixed in PAN-OS 8.1.21, PAN-OS 9.0.14-h4, PAN-OS 9.1.11-h3,
PAN-OS 10.0.8-h4 (available by 5pm PST on Nov 10, 2021), PAN-OS 10.1.3, and all
later PAN-OS versions.
Workarounds and Mitigations
Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for
GlobalProtect interfaces to block attacks against CVE-2021-3063.
Acknowledgments
This issue was found by Nicholas Newsom of Palo Alto Networks during internal
security review.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------------------------------------------------------------
Palo Alto Networks Security Advisories / CVE-2021-3064
CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal
and Gateway Interfaces
047910
Severity 9.8 . CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2021-11-10
Updated 2021-11-10
Reference PAN-96528
Discovered externally
Description
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect
portal and gateway interfaces that enables an unauthenticated network-based
attacker to disrupt system processes and potentially execute arbitrary code
with root privileges. The attacker must have network access to the
GlobalProtect interface to exploit this issue.
This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17.
Prisma Access customers are not impacted by this issue.
Product Status
Versions Affected Unaffected
Prisma Access 2.2 None all
Prisma Access 2.1 None all
PAN-OS 10.1 None 10.1.*
PAN-OS 10.0 None 10.0.*
PAN-OS 9.1 None 9.1.*
PAN-OS 9.0 None 9.0.*
PAN-OS 8.1 < 8.1.17 >= 8.1.17
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with a
GlobalProtect portal or gateway enabled. You can verify whether you have a
GlobalProtect portal or gateway configured by checking for entries in 'Network
> GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the
web interface.
Severity: CRITICAL
CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-121 Stack-based Buffer Overflow
Solution
This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions.
Workarounds and Mitigations
Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for
GlobalProtect portal and gateway interfaces to block attacks against
CVE-2021-3064.
It is not necessary to enable SSL decryption to detect and block attacks
against this issue.
Acknowledgments
Palo Alto Networks thanks the Randori Attack Team (https://twitter.com/
RandoriAttack) for discovering and reporting this issue.
Frequently Asked Questions
Q. Are there any indicators of compromise or breach related to this
vulnerability?
No. Due to the nature of the vulnerability, there is no reliable indicator
of compromise.
Q. Is this issue a remote code execution (RCE) vulnerability?
This issue is an RCE vulnerability. This issue enables an unauthenticated
network-based attacker with access to a GlobalProtect interface to execute
arbitrary code with root user privileges.
Q. Has this issue been exploited in the wild?
No evidence of active exploitation was identified at the time this advisory
was published.
Timeline
2021-11-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYYxmO+NLKJtyKPYoAQi3Zw//SBmjuwibRpGz9wB2Glt9iw/XpE8cGXUv
3m8oluYLllQujuTB8nJ2dz621/6F0CP7BUfs994KEqUujNLwZIkAxDWLa9UVYcWF
enLDbZJwheiKPCHgZwLCZII79MRJKx9S804kuZi/trQ5KNeI8d31V/yzxzwoxtoY
MWDJ+2YRCf0icLuudll/aI51TFSjJyGV7Q1y2jl/UpPMt+k6x5VO1DXPO9t/9qCw
EOjfgKeW6aZNc1hr7LwBJTPf3+fo50L2bJ8D4QFjV2LAFIWCj1IC54yPfBGygOtj
PzfA69ze74mcPHkGabhCoEi6J/baP1eBHYbFwHRdQe8MGiEUVh/QkJM2JErEymKK
IIp4gBwMJ+n+YbMOd1372W6DkwSJbj1QUay/DUVPv/m/gHPahBpdjekeN7Fy5BfP
s15QTwW7Fj16GQDvn4JAVuk4M6irrB9BnwFZ/i9jD1OF3WwR4eETy381K8lT7i2A
j9AQcErsztTdJdglqOGLpzKqVvI5jUYD35yw1U1VG3CNT8IlHLAoZCx3e84p5BNN
aH1nzEdOgZdlBfviAd8PIt8+usI4RKY2nKdHXw/D7YnbzQo7AoHYzQ4ZV478mNUT
40tOe2Xunf0C/n38Ly7KLmt11gy/4yCpB2X9XFJXxp7cy5/pTaeQY1w+WSqHBhzy
CqN+QAqe/C0=
=+1CN
-----END PGP SIGNATURE-----