Palo Alto Various Vulnerability
Date of Notice: 11/12/2021
Action Level - Critial to Medium depending on devices
Description
Palo Alto recently released a Security Advisory addressing numerous Critical, High, and Medium CVSS score vulnerabilities. The full list of security advisories is available here.
CVE-2021-3064 is scored 9.8 and affects PAN-OS. It is a Memory Corruption Vulnerability in GlobalProtect.
CVE-2021-3058 is scored 8.8 and affects PAN-OS. It is a Command Injection Vulnerability in Web Interface XML APi.
CVE-2021-3056 is scored 8.8 and affects PAN-OS and Prisma Access. It is a Memory Corruption Vulnerability in GlobalProtect Clientless VPN.
CVE-2021-3059 is scored 8.1 and affects PAN-OS and Prisma Access. It is an OS Command Injection Vulnerability.
CVE-2021-3060 is scored 8.1 and affects PAN-OS and Prisma Access. It is an OS Command Injection Vulnerability in the Simple Certificate Enrollment Protocol.
CVE-2021-3062 is scored 8.1 and affects PAN-OS. It is an Improper Access Control Vulnerability.
CVE-2021-3063 is scored 7.5 and affects PAN-OS. It is a DoS Vulnerability in the GlobalProtect Portal and Gateway Interfaces.
CVE-2021-3061 is scored 6.4 and affects PAN-OS and Prisma Access. It is a Command Injection Vulnerability in the CLI
Affected Devices
- x.x.x.x
Affected Software
- CVE-2021-3064
- PAN-OS < 8.1.17
- CVE-2021-3058
- PAN-OS < 10.1.3
- PAN-OS < 10.0.8
- PAN-OS < 9.1.11-h2
- PAN-OS < 9.0.14-h3
- PAN-OS < 8.1.20-h1
- CVE-2021-3056
- PAN-OS < 10.0.1
- PAN-OS < 9.1.9
- PAN-OS < 9.0.14
- PAN-OS < 8.1.20
- CVE-2021-3059
- PAN-OS < 10.1.3
- PAN-OS < 10.0.8
- PAN-OS < 9.1.11-h2
- PAN-OS < 9.0.14-h3
- PAN-OS < 8.1.20-h1
- CVE-2021-3060
- Prisma Access 2.1 Preferred, Innovation
- PAN-OS < 10.1.3
- PAN-OS < 10.0.8
- PAN-OS < 9.1.11-h2
- PAN-OS < 9.0.14-h3
- PAN-OS < 8.1.20-h1
- CVE-2021-3062
- PAN-OS < 10.0.8 on VM-Series
- PAN-OS < 9.1.11 on VM-Series
- PAN-OS < 9.0.14 on VM-Series
- PAN-OS < 8.1.20 on VM-Series
- CVE-2021-3063
- PAN-OS < 10.1.3
- PAN-OS < 10.0.8-h4
- PAN-OS < 9.1.11-h3
- PAN-OS < 9.0.14-h4
- PAN-OS < 8.1.21
- CVE-2021-3061
- Prisma Access 2.1 Preferred, Innovation
- PAN-OS < 10.1.3
- PAN-OS < 10.0.8
- PAN-OS < 9.1.11-h2
- PAN-OS < 9.0.14-h3
- PAN-OS < 8.1.20-h1
Attack Vector
- CVE-2021-3064
- Unauthenticated, network-based
- Can disrupt device and potentially execute arbitrary code
- Unauthenticated, network-based
- CVE-2021-3058
- Network-based, Authenticated administrator with access to XML API
- Able to use this for escalation of privileges
- Network-based, Authenticated administrator with access to XML API
- CVE-2021-3056
- Network-based, Authenticated user on clientless VPN
- Able to execute arbitrary code with root user privileges.
- Network-based, Authenticated user on clientless VPN
- CVE-2021-3059
- Network-based, Management Interface during dynamic updates
- Permits MITM attack to execute arbitrary code
- Network-based, Management Interface during dynamic updates
- CVE-2021-3060
- Network-based, SCEP feature, GlobalProtect interface access
- Permits OS Command Injection via SCEP feature
- Network-based, SCEP feature, GlobalProtect interface access
- CVE-2021-3062
- Network-based, unauthenticated user, GlobalProtect portals
- Permits unauthenticated user to connect to EC2 instance and run any EC2 operation allowed by AWS
- Network-based, unauthenticated user, GlobalProtect portals
- CVE-2021-3063
- Network-based, unauthenticated user, GlobalProtect interfaces
- Permits attacker to stop GlobalProtect service, repeated attempts can cause DoS and force device into maintenance mode
- Network-based, unauthenticated user, GlobalProtect interfaces
- CVE-2021-3061
- Local, authenticated user
- CLI access permits escalation of privilege via arbitrary commands
- Local, authenticated user
Attack Feasibility
While there isn’t wide spread news regarding these vulnerabilities the attacks should be taken seriously as multiple just need network access and nothing more. CVE-2021-3063 should be the baseline as an unauthenticated user can attack the GlobalProtect interfaces to DoS the box. Additionally CVE-2021-3059 can permit an attacker to execute code; however they would need to time the dynamic update and perform a MITM attack.
Mitigations
Review the individual vulnerabilities for specifics but general best practices mitigate some of these.
- Ensure only users that need to access the devices have accounts
- Ensure proper network segmentation and that the Management interfaces of the Palo Alto devices are only accessible from a management network and jump host
Additionally some of these can be blocked by either disabling the feature (dynamic updates) or enabled blocking of the specific attack signatures via their Unique Threat IDs.
Remediation
For Prisma Access 2.1 vulnerabilities, there is not currently a patch, mitigate as possible.
For PAN-OS, patch to at least the non-vulnerable version as detailed in the Palo Documentation. Those versions would be
- >= 10.1.3
- >= 10.0.8-h4
- >= 9.1.11-h3
- >= 9.0.14-h4
- >= 8.1.20-h1