Palo Alto Networks Security Advisories / CVE-2021-3054

CVE-2021-3054 PAN-OS: Unsigned Code Execution During Plugin Installation Race Condition Vulnerability

047910
Severity 7.2 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.11;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.7;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.2.

This issue does not affect Prisma Access.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1< 10.1.2>= 10.1.2
PAN-OS 10.0< 10.0.7>= 10.0.7
PAN-OS 9.1< 9.1.11>= 9.1.11
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.20>= 8.1.20

Severity: HIGH

CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Solution

This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.7, PAN-OS 10.1.2, and all later PAN-OS versions.

Workarounds and Mitigations

Enable signatures for Unique Threat ID 91572 on traffic processed by the firewall to block attacks against CVE-2021-3054.

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

Palo Alto Networks thanks Praetorian for discovering and reporting this issue.

Timeline

Added threat prevention workaround for the vulnerability
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.