CVE-2021-3062 PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS.
Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls.
Prisma Access customers are not impacted by this issue.
|PAN-OS 10.1||None||10.1.* on VM-Series|
|PAN-OS 10.0||< 10.0.8 on VM-Series||>= 10.0.8 on VM-Series|
|PAN-OS 9.1||< 9.1.11 on VM-Series||>= 9.1.11 on VM-Series|
|PAN-OS 9.0||< 9.0.14 on VM-Series||>= 9.0.14 on VM-Series|
|PAN-OS 8.1||< 8.1.20 on VM-Series||>= 8.1.20 on VM-Series|
|Prisma Access 2.2||None||all|
|Prisma Access 2.1||None||all|
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' on the web interface.
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions
Workarounds and Mitigations
There are no known workarounds for this issue.