11.12.2021

Palo Alto Various Vulnerability

MCNC Admin Avatar
By MCNC Admin
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 11/12/2021

Action Level - Critial to Medium depending on devices

Description

Palo Alto recently released a Security Advisory addressing numerous Critical, High, and Medium CVSS score vulnerabilities. The full list of security advisories is available here.

CVE-2021-3064 is scored 9.8 and affects PAN-OS. It is a Memory Corruption Vulnerability in GlobalProtect.

CVE-2021-3058 is scored 8.8 and affects PAN-OS. It is a Command Injection Vulnerability in Web Interface XML APi.

CVE-2021-3056 is scored 8.8 and affects PAN-OS and Prisma Access. It is a Memory Corruption Vulnerability in GlobalProtect Clientless VPN.

CVE-2021-3059 is scored 8.1 and affects PAN-OS and Prisma Access. It is an OS Command Injection Vulnerability.

CVE-2021-3060 is scored 8.1 and affects PAN-OS and Prisma Access. It is an OS Command Injection Vulnerability in the Simple Certificate Enrollment Protocol.

CVE-2021-3062 is scored 8.1 and affects PAN-OS. It is an Improper Access Control Vulnerability.

CVE-2021-3063 is scored 7.5 and affects PAN-OS. It is a DoS Vulnerability in the GlobalProtect Portal and Gateway Interfaces.

CVE-2021-3061 is scored 6.4 and affects PAN-OS and Prisma Access. It is a Command Injection Vulnerability in the CLI

Affected Devices

  • x.x.x.x

Affected Software

  • CVE-2021-3064
    • PAN-OS < 8.1.17
  • CVE-2021-3058
    • PAN-OS < 10.1.3
    • PAN-OS < 10.0.8
    • PAN-OS < 9.1.11-h2
    • PAN-OS < 9.0.14-h3
    • PAN-OS < 8.1.20-h1
  • CVE-2021-3056
    • PAN-OS < 10.0.1
    • PAN-OS < 9.1.9
    • PAN-OS < 9.0.14
    • PAN-OS < 8.1.20
  • CVE-2021-3059 
    • PAN-OS < 10.1.3
    • PAN-OS < 10.0.8
    • PAN-OS < 9.1.11-h2
    • PAN-OS < 9.0.14-h3
    • PAN-OS < 8.1.20-h1
  • CVE-2021-3060
    • Prisma Access 2.1 Preferred, Innovation
    • PAN-OS < 10.1.3
    • PAN-OS < 10.0.8
    • PAN-OS < 9.1.11-h2
    • PAN-OS < 9.0.14-h3
    • PAN-OS < 8.1.20-h1
  • CVE-2021-3062
    • PAN-OS < 10.0.8 on VM-Series
    • PAN-OS < 9.1.11 on VM-Series
    • PAN-OS < 9.0.14 on VM-Series
    • PAN-OS < 8.1.20 on VM-Series
  • CVE-2021-3063
    • PAN-OS < 10.1.3
    • PAN-OS < 10.0.8-h4
    • PAN-OS < 9.1.11-h3
    • PAN-OS < 9.0.14-h4
    • PAN-OS < 8.1.21
  • CVE-2021-3061
    • Prisma Access 2.1 Preferred, Innovation
    • PAN-OS < 10.1.3
    • PAN-OS < 10.0.8
    • PAN-OS < 9.1.11-h2
    • PAN-OS < 9.0.14-h3
    • PAN-OS < 8.1.20-h1

Attack Vector

  • CVE-2021-3064
    • Unauthenticated, network-based
      • Can disrupt device and potentially execute arbitrary code
  • CVE-2021-3058
    • Network-based, Authenticated administrator with access to XML API
      • Able to use this for escalation of privileges
  • CVE-2021-3056
    • Network-based, Authenticated user on clientless VPN
      • Able to execute arbitrary code with root user privileges.
  • CVE-2021-3059 
    • Network-based, Management Interface during dynamic updates
      • Permits MITM attack to execute arbitrary code
  • CVE-2021-3060
    • Network-based, SCEP feature, GlobalProtect interface access
      • Permits OS Command Injection via SCEP feature
  • CVE-2021-3062
    • Network-based, unauthenticated user, GlobalProtect portals
      • Permits unauthenticated user to connect to EC2 instance and run any EC2 operation allowed by AWS
  • CVE-2021-3063
    • Network-based, unauthenticated user, GlobalProtect interfaces
      • Permits attacker to stop GlobalProtect service, repeated attempts can cause DoS and force device into maintenance mode
  • CVE-2021-3061
    • Local, authenticated user
      • CLI access permits escalation of privilege via arbitrary commands

Attack Feasibility

While there isn’t wide spread news regarding these vulnerabilities the attacks should be taken seriously as multiple just need network access and nothing more. CVE-2021-3063 should be the baseline as an unauthenticated user can attack the GlobalProtect interfaces to DoS the box. Additionally CVE-2021-3059 can permit an attacker to execute code; however they would need to time the dynamic update and perform a MITM attack. 

Mitigations

Review the individual vulnerabilities for specifics but general best practices mitigate some of these.

  • Ensure only users that need to access the devices have accounts
  • Ensure proper network segmentation and that the Management interfaces of the Palo Alto devices are only accessible from a management network and jump host

Additionally some of these can be blocked by either disabling the feature (dynamic updates) or enabled blocking of the specific attack signatures via their Unique Threat IDs.

Remediation

For Prisma Access 2.1 vulnerabilities, there is not currently a patch, mitigate as possible.
For PAN-OS, patch to at least the non-vulnerable version as detailed in the Palo Documentation. Those versions would be

  • >= 10.1.3
  • >= 10.0.8-h4
  • >= 9.1.11-h3
  • >= 9.0.14-h4
  • >= 8.1.20-h1 

<-- Return to Cybersecurity Alerts...

MCNC Admin
MCNC Admin
MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Uslinkedintwitterfacebookyoutube
© 2021 MCNC