Palo Alto Networks Security Advisories / CVE-2021-3047

CVE-2021-3047 PAN-OS: Weak Cryptography Used in Web Interface Authentication

047910
Severity 4.2 · MEDIUM
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

Description

A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.19;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.10;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.4.

PAN-OS 10.1 versions are not impacted.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1None10.1.*
PAN-OS 10.0< 10.0.4>= 10.0.4
PAN-OS 9.1< 9.1.10>= 9.1.10
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.19>= 8.1.19

Required Configuration for Exposure

There is no specific configuration required for this exposure—all web interface authentication methods are impacted by this issue.

Severity: MEDIUM

CVSSv3.1 Base Score: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)

Weakness Type

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Solution

This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.14, PAN-OS 9.1.10, PAN-OS 10.0.4, and all later PAN-OS versions.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

Palo Alto Networks thanks Gabor Acs-Kurucz and Oliver Kunz of Google for discovering and reporting this issue.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.