An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.21;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.
Prisma Access customers are not impacted by this issue.
|Prisma Access 2.2||None||all|
|Prisma Access 2.1||None||all|
|PAN-OS 10.1||< 10.1.3||>= 10.1.3|
|PAN-OS 10.0||< 10.0.8-h4||>= 10.0.8-h4|
|PAN-OS 9.1||< 9.1.11-h3||>= 9.1.11-h3|
|PAN-OS 9.0||< 9.0.14-h4||>= 9.0.14-h4|
|PAN-OS 8.1||< 8.1.21||>= 8.1.21|
This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the web interface.
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
This issue is fixed in PAN-OS 8.1.21, PAN-OS 9.0.14-h4, PAN-OS 9.1.11-h3, PAN-OS 10.0.8-h4, PAN-OS 10.1.3, and all later PAN-OS versions.
Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect interfaces to block attacks against CVE-2021-3063.
It is not necessary to enable SSL decryption to detect and block attacks against this issue.