Palo Alto Networks Security Advisories / CVE-2021-3059

CVE-2021-3059 PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates

047910
Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.

Prisma Access customers are not impacted by this issue.

Product Status

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1Noneall
PAN-OS 10.1< 10.1.3>= 10.1.3
PAN-OS 10.0< 10.0.8>= 10.0.8
PAN-OS 9.1< 9.1.11-h2>= 9.1.11-h2
PAN-OS 9.0< 9.0.14-h3>= 9.0.14-h3
PAN-OS 8.1< 8.1.20-h1>= 8.1.20-h1

Required Configuration for Exposure

This issue is applicable only to firewalls and Panoramas that receive dynamic updates from an update server.

To verify this on firewalls not managed by Panorama ‘Device > Dynamic Updates’ from the web interface.

To verify this on Panorama review ‘Panorama > Dynamic Updates’ from the web interface.

To verify this for Panorama managed firewalls review ‘Panorama > Device Deployment > Dynamic Updates’ from the Panorama web interface.

Firewalls that only receive content updates pushed from Panoramas are not susceptible to this issue.

Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-78 OS Command Injection

Solution

This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.

Workarounds and Mitigations

Updating dynamic content from a local file will prevent exposure to this vulnerability until you are able to upgrade PAN-OS firewalls and Panorama to a fixed version. You can disable scheduled dynamic updates in the web interface.

Push content updates from Panorama to the managed firewalls until you are able to upgrade PAN-OS to a fixed version. The process of upgrading dynamic content on managed devices is referenced here:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/panorama-web-interface/panorama-managed-devices-summary/firewall-software-and-content-updates.html

Acknowledgments

Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue.

Timeline

Updated workaround and required configuration
Prisma Access is not impacted
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.