Palo Alto Networks Security Advisories / CVE-2021-3056

CVE-2021-3056 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Clientless VPN During SAML Authentication

047910
Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN enables an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.9;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Prisma Access customers with Prisma Access 2.1 Preferred firewalls are impacted by this issue.

Product Status

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1PreferredInnovation
PAN-OS 10.1None10.1.*
PAN-OS 10.0< 10.0.1>= 10.0.1
PAN-OS 9.1< 9.1.9>= 9.1.9
PAN-OS 9.0< 9.0.14>= 9.0.14
PAN-OS 8.1< 8.1.20>= 8.1.20

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with the Clientless VPN feature and SAML authentication enabled for GlobalProtect Portal.

Severity: HIGH

CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-120 Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.1, and all later PAN-OS versions.

This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions.

Workarounds and Mitigations

Enable signatures for Unique Threat ID 91585 on traffic processed by the firewall to block attacks against CVE-2021-3056.

Acknowledgments

This issue was found by Nicholas Newsom of Palo Alto Networks during an internal security review.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.