Palo Alto Networks Security Advisories / CVE-2021-3037

CVE-2021-3037 PAN-OS: Secrets for scheduled configuration exports are logged in system logs

047910
Severity 2.3 · LOW
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE

Description

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs.

Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.0None>= 10.0.0
PAN-OS 9.1< 9.1.4>= 9.1.4
PAN-OS 9.0< 9.0.13>= 9.0.13
PAN-OS 8.1< 8.1.19>= 8.1.19

Required Configuration for Exposure

This issue is only applicable to PAN-OS devices that have been configured to use scheduled configuration exports at any time.

Severity: LOW

CVSSv3.1 Base Score: 2.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-534 Information Exposure Through Debug Log Files

Solution

This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.4, and all later PAN-OS versions.

After you upgrade the PAN-OS appliance, you must change the connection details used in scheduled configuration exports. You should also change the credentials on the destination server that are used to export the configuration.

Workarounds and Mitigations

Acknowledgments

This issue was found by a customer of Palo Alto Networks during a security review.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.