Palo Alto Networks Security Advisories / CVE-2021-3061

CVE-2021-3061 PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)

047910
Severity 6.4 · MEDIUM
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.

Prisma Access customers are not impacted by this issue.

Product Status

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1Noneall
PAN-OS 10.1< 10.1.3>= 10.1.3
PAN-OS 10.0< 10.0.8>= 10.0.8
PAN-OS 9.1< 9.1.11-h2>= 9.1.11-h2
PAN-OS 9.0< 9.0.14-h3>= 9.0.14-h3
PAN-OS 8.1< 8.1.20-h1>= 8.1.20-h1

Severity: MEDIUM

CVSSv3.1 Base Score: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-78 OS Command Injection

Solution

This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.

Workarounds and Mitigations

This issue requires the attacker to have authenticated access to the PAN-OS CLI. You can mitigate the impact of this issue by following best practices for securing PAN-OS software. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

Palo Alto Networks thanks CJ, an external security researcher, and Ben Nott from Palo Alto Networks for discovering and reporting this issue.

Timeline

Prisma Access customers are not impacted
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.