Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3834 PAN-OS: Multiple vulnerabilities 11 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Publisher: Palo Alto Operating System: Network Appliance Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-3064 CVE-2021-3063 CVE-2021-3062 CVE-2021-3061 CVE-2021-3060 CVE-2021-3059 CVE-2021-3058 CVE-2021-3056 Reference: ESB-2021.3784 ESB-2021.2960 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2021-3056 https://securityadvisories.paloaltonetworks.com/CVE-2021-3058 https://securityadvisories.paloaltonetworks.com/CVE-2021-3059 https://securityadvisories.paloaltonetworks.com/CVE-2021-3060 https://securityadvisories.paloaltonetworks.com/CVE-2021-3061 https://securityadvisories.paloaltonetworks.com/CVE-2021-3062 https://securityadvisories.paloaltonetworks.com/CVE-2021-3063 https://securityadvisories.paloaltonetworks.com/CVE-2021-3064 Comment: This bulletin contains eight (8) Palo Alto security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2021-3056 CVE-2021-3056 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Clientless VPN During SAML Authentication 047910 Severity 8.8 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-149501 Discovered internally Description A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN enables an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 Preferred Innovation PAN-OS 10.1 None 10.1.* PAN-OS 10.0 < 10.0.1 >= 10.0.1 PAN-OS 9.1 < 9.1.9 >= 9.1.9 PAN-OS 9.0 < 9.0.14 >= 9.0.14 PAN-OS 8.1 < 8.1.20 >= 8.1.20 Required Configuration for Exposure This issue is applicable only to PAN-OS firewall configurations with the Clientless VPN feature and SAML authentication enabled for GlobalProtect Portal. Severity: HIGH CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-120 Buffer Overflow Solution This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.1, and all later PAN-OS versions. This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions. Workarounds and Mitigations Enable signatures for Unique Threat ID 91585 on traffic processed by the firewall to block attacks against CVE-2021-3056. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during an internal security review. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3058 CVE-2021-3058 PAN-OS: OS Command Injection Vulnerability in Web Interface XML API 047910 Severity 8.8 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-176653 Discovered externally Description An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 None all PAN-OS 10.1 < 10.1.3 >= 10.1.3 PAN-OS 10.0 < 10.0.8 >= 10.0.8 PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2 PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3 PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1 Required Configuration for Exposure This vulnerability is only applicable to PAN-OS firewalls configured to use the XML API. Severity: HIGH CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-78 OS Command Injection Solution This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions. Workarounds and Mitigations Enable signatures for Unique Threat ID 91715 on traffic processed by the firewall to block attacks against CVE-2021-3058. This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices. Acknowledgments Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3059 CVE-2021-3059 PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates 047910 Severity 8.1 . HIGH Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-176618 Discovered externally Description An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 Preferred, Innovation PAN-OS 10.1 < 10.1.3 >= 10.1.3 PAN-OS 10.0 < 10.0.8 >= 10.0.8 PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2 PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3 PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1 Required Configuration for Exposure This issue is applicable only to PAN-OS firewall configurations that receive dynamic updates. You can verify that your firewall receives dynamic updates at 'Device Deployment > Dynamic Updates' in the web interface. Severity: HIGH CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-78 OS Command Injection Solution This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions. Workarounds and Mitigations You can disable scheduled dynamic updates for the firewall at 'Device Deployment > Dynamic Updates' in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version. Acknowledgments Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3060 CVE-2021-3060 PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP) 047910 Severity 8.1 . HIGH Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-176661 Discovered externally Description An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 Preferred, Innovation PAN-OS 10.1 < 10.1.3 >= 10.1.3 PAN-OS 10.0 < 10.0.8 >= 10.0.8 PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2 PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3 PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1 Required Configuration for Exposure This issue is applicable only to GlobalProtect portal and gateway configurations that are configured with a SCEP profile and when the default master key was not changed. You can determine if your configuration has a SCEP profile by selecting 'Device > Certificate Management > SCEP' from the web interface. Note: The SCEP profile does not need to be enabled for the firewall to be at risk; it need only exist in the configuration to be a risk even if disabled. You know you are using the default master key when the master key was not explicitly configured on the firewall. Review the master key configuration by selecting 'Device > Master Key and Diagnostics' from the web interface and change the key if needed. Severity: HIGH CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue at time of publication. However, we expect exploits for this issue to become publicly available. Weakness Type CWE-78 OS Command Injection Solution This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions. Workarounds and Mitigations Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers. Documentation for configuring the master key is available at: https:// docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/ configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments. Additional information is available for Prisma Access customers at: https:// docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/ prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/ get-started-with-prisma-access-overview.html. Remove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting 'Device > Certificate Management > SCEP' from the web interface. This issue requires the attacker to have network access to the GlobalProtect interface. In addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue. Acknowledgments Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue. Frequently Asked Questions Q. Are there any indicators of compromise or breach related to this vulnerability? No. Due to the nature of the vulnerability, there is no reliable indicator of compromise. Q. Is this issue a remote code execution (RCE) vulnerability? This issue is an RCE vulnerability. This issue enables an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. Q. Has this issue been exploited in the wild? No evidence of active exploitation was identified at the time this advisory was published. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3061 CVE-2021-3061 PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI) 047910 Severity 6.4 . MEDIUM Attack Vector LOCAL Attack Complexity HIGH Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-176655 and PAN-158334 Discovered externally Description An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 Preferred, Innovation PAN-OS 10.1 < 10.1.3 >= 10.1.3 PAN-OS 10.0 < 10.0.8 >= 10.0.8 PAN-OS 9.1 < 9.1.11-h2 >= 9.1.11-h2 PAN-OS 9.0 < 9.0.14-h3 >= 9.0.14-h3 PAN-OS 8.1 < 8.1.20-h1 >= 8.1.20-h1 Severity: MEDIUM CVSSv3.1 Base Score: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability. Weakness Type CWE-78 OS Command Injection Solution This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions. Workarounds and Mitigations This issue requires the attacker to have authenticated access to the PAN-OS CLI. You can mitigate the impact of this issue by following best practices for securing PAN-OS software. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https:// docs.paloaltonetworks.com/best-practices. Acknowledgments Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott from Palo Alto Networks for discovering and reporting this issue. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3062 CVE-2021-3062 PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users 047910 Severity 8.1 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact NONE NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-164422 Discovered externally Description An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 None all PAN-OS 10.1 None 10.1.* on VM-Series PAN-OS 10.0 < 10.0.8 on VM-Series >= 10.0.8 on VM-Series PAN-OS 9.1 < 9.1.11 on VM-Series >= 9.1.11 on VM-Series PAN-OS 9.0 < 9.0.14 on VM-Series >= 9.0.14 on VM-Series PAN-OS 8.1 < 8.1.20 on VM-Series >= 8.1.20 on VM-Series Required Configuration for Exposure This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' on the web interface. Severity: HIGH CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability. Weakness Type CWE-284 Improper Access Control Solution This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions Workarounds and Mitigations There are no known workarounds for this issue. Acknowledgments Palo Alto Networks thanks Matthew Flanagan of Computer Systems Australia (CSA) for discovering and reporting this issue. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3063 CVE-2021-3063 PAN-OS: Denial-of-Service (DoS) Vulnerability in GlobalProtect Portal and Gateway Interfaces 047910 Severity 7.5 . HIGH Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact NONE Integrity Impact NONE Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-180032 Discovered externally Description An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers are not impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 None all PAN-OS 10.1 < 10.1.3 >= 10.1.3 PAN-OS 10.0 < 10.0.8-h4 >= 10.0.8-h4 PAN-OS 9.1 < 9.1.11-h3 >= 9.1.11-h3 PAN-OS 9.0 < 9.0.14-h4 >= 9.0.14-h4 PAN-OS 8.1 < 8.1.21 >= 8.1.21 Required Configuration for Exposure This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the web interface. Severity: HIGH CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability. Weakness Type CWE-755 Improper Handling of Exceptional Conditions Solution This issue is fixed in PAN-OS 8.1.21, PAN-OS 9.0.14-h4, PAN-OS 9.1.11-h3, PAN-OS 10.0.8-h4 (available by 5pm PST on Nov 10, 2021), PAN-OS 10.1.3, and all later PAN-OS versions. Workarounds and Mitigations Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect interfaces to block attacks against CVE-2021-3063. Acknowledgments This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2021-3064 CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces 047910 Severity 9.8 . CRITICAL Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-11-10 Updated 2021-11-10 Reference PAN-96528 Discovered externally Description A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None all Prisma Access 2.1 None all PAN-OS 10.1 None 10.1.* PAN-OS 10.0 None 10.0.* PAN-OS 9.1 None 9.1.* PAN-OS 9.0 None 9.0.* PAN-OS 8.1 < 8.1.17 >= 8.1.17 Required Configuration for Exposure This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the web interface. Severity: CRITICAL CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-121 Stack-based Buffer Overflow Solution This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions. Workarounds and Mitigations Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against CVE-2021-3064. It is not necessary to enable SSL decryption to detect and block attacks against this issue. Acknowledgments Palo Alto Networks thanks the Randori Attack Team (https://twitter.com/ RandoriAttack) for discovering and reporting this issue. Frequently Asked Questions Q. Are there any indicators of compromise or breach related to this vulnerability? No. Due to the nature of the vulnerability, there is no reliable indicator of compromise. Q. Is this issue a remote code execution (RCE) vulnerability? This issue is an RCE vulnerability. This issue enables an unauthenticated network-based attacker with access to a GlobalProtect interface to execute arbitrary code with root user privileges. Q. Has this issue been exploited in the wild? No evidence of active exploitation was identified at the time this advisory was published. Timeline 2021-11-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYxmO+NLKJtyKPYoAQi3Zw//SBmjuwibRpGz9wB2Glt9iw/XpE8cGXUv 3m8oluYLllQujuTB8nJ2dz621/6F0CP7BUfs994KEqUujNLwZIkAxDWLa9UVYcWF enLDbZJwheiKPCHgZwLCZII79MRJKx9S804kuZi/trQ5KNeI8d31V/yzxzwoxtoY MWDJ+2YRCf0icLuudll/aI51TFSjJyGV7Q1y2jl/UpPMt+k6x5VO1DXPO9t/9qCw EOjfgKeW6aZNc1hr7LwBJTPf3+fo50L2bJ8D4QFjV2LAFIWCj1IC54yPfBGygOtj PzfA69ze74mcPHkGabhCoEi6J/baP1eBHYbFwHRdQe8MGiEUVh/QkJM2JErEymKK IIp4gBwMJ+n+YbMOd1372W6DkwSJbj1QUay/DUVPv/m/gHPahBpdjekeN7Fy5BfP s15QTwW7Fj16GQDvn4JAVuk4M6irrB9BnwFZ/i9jD1OF3WwR4eETy381K8lT7i2A j9AQcErsztTdJdglqOGLpzKqVvI5jUYD35yw1U1VG3CNT8IlHLAoZCx3e84p5BNN aH1nzEdOgZdlBfviAd8PIt8+usI4RKY2nKdHXw/D7YnbzQo7AoHYzQ4ZV478mNUT 40tOe2Xunf0C/n38Ly7KLmt11gy/4yCpB2X9XFJXxp7cy5/pTaeQY1w+WSqHBhzy CqN+QAqe/C0= =+1CN -----END PGP SIGNATURE-----