CVE-2021-3059 PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
Prisma Access customers are not impacted by this issue.
|PAN-OS 10.1||< 10.1.3||>= 10.1.3|
|PAN-OS 10.0||< 10.0.8||>= 10.0.8|
|PAN-OS 9.1||< 9.1.11-h2||>= 9.1.11-h2|
|PAN-OS 9.0||< 9.0.14-h3||>= 9.0.14-h3|
|PAN-OS 8.1||< 8.1.20-h1||>= 8.1.20-h1|
|Prisma Access 2.2||None||all|
|Prisma Access 2.1||None||all|
Required Configuration for Exposure
This issue is applicable only to firewalls and Panoramas that receive dynamic updates from an update server.
To verify this on firewalls not managed by Panorama ‘Device > Dynamic Updates’ from the web interface.
To verify this on Panorama review ‘Panorama > Dynamic Updates’ from the web interface.
To verify this for Panorama managed firewalls review ‘Panorama > Device Deployment > Dynamic Updates’ from the Panorama web interface.
Firewalls that only receive content updates pushed from Panoramas are not susceptible to this issue.
CVSSv3.1 Base Score:8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
Workarounds and Mitigations
Updating dynamic content from a local file will prevent exposure to this vulnerability until you are able to upgrade PAN-OS firewalls and Panorama to a fixed version. You can disable scheduled dynamic updates in the web interface.
Push content updates from Panorama to the managed firewalls until you are able to upgrade PAN-OS to a fixed version. The process of upgrading dynamic content on managed devices is referenced here: