Palo Alto Networks Security Advisories / CVE-2021-3056

CVE-2021-3056 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Clientless VPN During SAML Authentication

047910
Severity 8.8 · HIGH
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH

Description

A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN enables an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.9;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted by this issue.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1None10.1.*
PAN-OS 10.0< 10.0.1>= 10.0.1
PAN-OS 9.1< 9.1.9>= 9.1.9
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.20>= 8.1.20
Prisma Access 2.2Noneall
Prisma Access 2.1PreferredInnovation

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with the Clientless VPN feature and SAML authentication enabled for GlobalProtect Portal.

Severity:HIGH

CVSSv3.1 Base Score:8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-120 Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.1, and all later PAN-OS versions.

This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions.

Workarounds and Mitigations

Enable signatures for Unique Threat ID 91585 on traffic processed by the firewall to block attacks against CVE-2021-3056.

Acknowledgments

This issue was found by Nicholas Newsom of Palo Alto Networks during an internal security review.

Timeline

Initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.