Threat Response – Vulnerability in Palo Alto Network PAN-OS 8.1 (CVE-2021-3064)

11-11-2021

A SAFE DIGITAL JOURNEY

On Wednesday November 10th 2021, Randori published information about a vulnerability present in PAN-OS 8.1 software from Palo Alto Networks (PAN) [1]. In this message, we want to warn you about the threat and inform you about the possible mitigation steps.

Description

Exploiting this vulnerability enables an unauthenticated network-based attacker to run arbitrary code and potentially obtain root privileges on targeted PAN firewall appliances. This vulnerability affects both physical and virtual (VM-series) PAN firewalls using the GlobalProtect portal or gateway [1]. PAN-OS 8.1 versions below 8.1.17 are vulnerable [2]. PAN released a patch for this vulnerability present in PAN-OS 8.1 on Wednesday November 10th. The vulnerability (CVE-2021-3064) has a CVSS 3 score of 9.8 (Critical) [3].

Impact

Once an attacker has control over the firewall, they will have access and visibility over the internal network and can proceed to move laterally. An attacker can leverage a compromised firewall appliance to launch other attacks, thus we estimate the impact as high.

Risk

In order to exploit this vulnerability, an attacker must have network access to the device using the GlobalProtect portal or gateway. Since the affected gateway is a VPN portal, this is often publicly accessible over standard port 443. Although no public exploit currently exists, we expect it to be available soon so we estimate the risk as high.

Mitigation

The vulnerability CVE-2021-3064 is fixed in PAN-OS 8.1 version 8.1.17 and above. We advise to upgrade PAN-OS 8.1 to the latest version. Additionally, PAN has made available unique threat IDs 91820 and 91855 that can be enabled to block exploitation attempts against CVE-2021-3064 while planning the software upgrade [2].

What will Northwave do?

Northwave will monitor developments around CVE-2021-3064. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email. 

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]https://www.randori.com/blog/cve-2021-3064/

[2]: https://security.paloaltonetworks.com/CVE-2021-3064

[3]https://nvd.nist.gov/vuln/detail/CVE-2021-3064

-Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.