Palo Alto Networks Security Advisories / CVE-2021-3037

CVE-2021-3037 PAN-OS: Secrets for scheduled configuration exports are logged in system logs

047910
Severity 2.3 · LOW
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact LOW
Privileges Required HIGH
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE
NVD JSON
Published 2021-04-14
Updated 2021-04-14
Reference PAN-131474
Discovered externally

Description

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs.

Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.0None>= 10.0.0
PAN-OS 9.1< 9.1.4>= 9.1.4
PAN-OS 9.0< 9.0.13>= 9.0.13
PAN-OS 8.1< 8.1.19>= 8.1.19

Required Configuration for Exposure

This issue is only applicable to PAN-OS devices that have been configured to use scheduled configuration exports at any time.

Severity: LOW

CVSSv3.1 Base Score: 2.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-534 Information Exposure Through Debug Log Files

Solution

This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.4, and all later PAN-OS versions.

After you upgrade the PAN-OS appliance, you must change the connection details used in scheduled configuration exports. You should also change the credentials on the destination server that are used to export the configuration.

Acknowledgments

This issue was found by a customer of Palo Alto Networks during a security review.

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.