Palo Alto Networks Security Advisories / CVE-2021-3060

CVE-2021-3060 PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)

047910
Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.

Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.

Product Status

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1Preferred, Innovation
PAN-OS 10.1< 10.1.3>= 10.1.3
PAN-OS 10.0< 10.0.8>= 10.0.8
PAN-OS 9.1< 9.1.11-h2>= 9.1.11-h2
PAN-OS 9.0< 9.0.14-h3>= 9.0.14-h3
PAN-OS 8.1< 8.1.20-h1>= 8.1.20-h1

Required Configuration for Exposure

This issue is applicable only to GlobalProtect portal and gateway configurations that are configured with a SCEP profile and when the default master key was not changed.

You can determine if your configuration has a SCEP profile by selecting 'Device > Certificate Management > SCEP' from the web interface.

Note: The SCEP profile does not need to be enabled for the firewall to be at risk; it need only exist in the configuration to be a risk even if disabled.

You know you are using the default master key when the master key was not explicitly configured on the firewall. Review the master key configuration by selecting 'Device > Master Key and Diagnostics' from the web interface and change the key if needed.

Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue at time of publication. However, we expect exploits for this issue to become publicly available.

Weakness Type

CWE-78 OS Command Injection

Solution

This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.

This issue is fixed in Prisma Access 2.2 Preferred and all later Prisma Access versions.

Workarounds and Mitigations

Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers.

Documentation for configuring the master key is available at: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments.

Additional information is available for Prisma Access customers at: https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html.

Remove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting 'Device > Certificate Management > SCEP' from the web interface.

This issue requires the attacker to have network access to the GlobalProtect interface.

In addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue.

Acknowledgments

Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue.

Frequently Asked Questions

Q. Are there any indicators of compromise or breach related to this vulnerability?

No. Due to the nature of the vulnerability, there is no reliable indicator of compromise.

Q. Is this issue a remote code execution (RCE) vulnerability?

This issue is an RCE vulnerability. This issue enables an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges.

Q. Has this issue been exploited in the wild?

No evidence of active exploitation was identified at the time this advisory was published.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.