Palo Alto Networks Security Advisories / CVE-2021-3062

CVE-2021-3062 PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users

047910
Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact NONE

Description

An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS.

Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls.

Prisma Access customers are not impacted by this issue.

Product Status

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1Noneall
PAN-OS 10.1None10.1.* on VM-Series
PAN-OS 10.0< 10.0.8 on VM-Series>= 10.0.8 on VM-Series
PAN-OS 9.1< 9.1.11 on VM-Series>= 9.1.11 on VM-Series
PAN-OS 9.0< 9.0.14 on VM-Series>= 9.0.14 on VM-Series
PAN-OS 8.1< 8.1.20 on VM-Series>= 8.1.20 on VM-Series

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' on the web interface.

Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-284 Improper Access Control

Solution

This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

Palo Alto Networks thanks Matthew Flanagan of Computer Systems Australia (CSA) and Suresh Kumar Ponnusamy of Freshworks for discovering and reporting this issue.

Timeline

Updated credit
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.