CVE-2021-3037 PAN-OS: Secrets for scheduled configuration exports are logged in system logs
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs.
Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server.
|PAN-OS 10.0||None||>= 10.0.0|
|PAN-OS 9.1||< 9.1.4||>= 9.1.4|
|PAN-OS 9.0||< 9.0.13||>= 9.0.13|
|PAN-OS 8.1||< 8.1.19||>= 8.1.19|
Required Configuration for Exposure
This issue is only applicable to PAN-OS devices that have been configured to use scheduled configuration exports at any time.
CVSSv3.1 Base Score: 2.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.4, and all later PAN-OS versions.
After you upgrade the PAN-OS appliance, you must change the connection details used in scheduled configuration exports. You should also change the credentials on the destination server that are used to export the configuration.