Palo Alto Networks Security Advisories / CVE-2021-3064

CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.

This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17.

Prisma Access customers are not impacted by this issue.

Product Status

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1Noneall
PAN-OS 10.1None10.1.*
PAN-OS 10.0None10.0.*
PAN-OS 9.1None9.1.*
PAN-OS 9.0None9.0.*
PAN-OS 8.1< 8.1.17>= 8.1.17

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the web interface.

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-121 Stack-based Buffer Overflow

Solution

This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions.

Workarounds and Mitigations

Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against CVE-2021-3064.

It is not necessary to enable SSL decryption to detect and block attacks against this issue.

Acknowledgments

Palo Alto Networks thanks the Randori Attack Team (https://twitter.com/RandoriAttack) for discovering and reporting this issue.

Frequently Asked Questions

Q. Are there any indicators of compromise or breach related to this vulnerability?

No. Due to the nature of the vulnerability, there is no reliable indicator of compromise.

Q. Is this issue a remote code execution (RCE) vulnerability?

This issue is an RCE vulnerability. This issue enables an unauthenticated network-based attacker with access to a GlobalProtect interface to execute arbitrary code with root user privileges.

Q. Has this issue been exploited in the wild?

No evidence of active exploitation was identified at the time this advisory was published.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.