Palo Alto Networks has released security updates to address a vulnerability affecting PAN-OS firewall configurations with GlobalProtect portal and gateway interfaces. These updates address a vulnerability that only affects old versions of PAN-OS (8.1.16 and earlier). An unauthenticated attacker with network access could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review Palo Alto Security Advisory for [CVE-2021-3064](<https://security.paloaltonetworks.com/CVE-2021-3064>) and apply the necessary updates or workarounds.
This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.
**Please share your thoughts.**
We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/palo-alto-networks-release-security-updates-pan-os>); we'd welcome your feedback.
{"id": "CISA:2E1039367836DF6C7F538F24709ABDFF", "vendorId": null, "type": "cisa", "bulletinFamily": "info", "title": "Palo Alto Networks Release Security Updates for PAN-OS", "description": "Palo Alto Networks has released security updates to address a vulnerability affecting PAN-OS firewall configurations with GlobalProtect portal and gateway interfaces. These updates address a vulnerability that only affects old versions of PAN-OS (8.1.16 and earlier). An unauthenticated attacker with network access could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to review Palo Alto Security Advisory for [CVE-2021-3064](<https://security.paloaltonetworks.com/CVE-2021-3064>) and apply the necessary updates or workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/palo-alto-networks-release-security-updates-pan-os>); we'd welcome your feedback.\n", "published": "2021-11-12T00:00:00", "modified": "2021-11-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/palo-alto-networks-release-security-updates-pan-os", "reporter": "CISA", "references": ["https://security.paloaltonetworks.com/CVE-2021-3064"], "cvelist": ["CVE-2021-3064"], "immutableFields": [], "lastseen": "2021-11-26T18:11:13", "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-3064"]}, {"type": "hivepro", "idList": ["HIVEPRO:28DAB1D4FF2A121B74937B923A1D44B9", "HIVEPRO:BED8EF5B5E2D49B945369D9DB342D717"]}, {"type": "nessus", "idList": ["PALO_ALTO_CVE-2021-3064.NASL"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-3064"]}, {"type": "thn", "idList": ["THN:115BB605995BDAD971C6060FB3E704ED"]}, {"type": "threatpost", "idList": ["THREATPOST:03052371F383A20C440079DD064A666F", "THREATPOST:D203D198B6B3C197D6DDDA6027B4B3F9"]}], "rev": 4}, "score": {"value": 9.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-3064"]}, {"type": "hivepro", "idList": ["HIVEPRO:28DAB1D4FF2A121B74937B923A1D44B9"]}, {"type": "ics", "idList": ["ICSA-20-282-02"]}, {"type": "nessus", "idList": ["PALO_ALTO_CVE-2021-3064.NASL"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-3064"]}, {"type": "thn", "idList": ["THN:115BB605995BDAD971C6060FB3E704ED"]}, {"type": "threatpost", "idList": ["THREATPOST:03052371F383A20C440079DD064A666F", "THREATPOST:F7C1C6A7D07F7CFA8DFDD80051147A3B"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-3064", "epss": "0.001760000", "percentile": "0.530510000", "modified": "2023-03-18"}], "vulnersScore": 9.0}, "wildExploited": false, "_state": {"wildexploited": 1647356733, "dependencies": 1647589307, "score": 1684011499, "epss": 1679159933}, "_internal": {"wildexploited_cvelist": null, "score_hash": "e3726f778a0d1394e4a5c143c14dff39"}}
{"cve": [{"lastseen": "2023-05-27T14:40:44", "description": "A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T17:15:00", "type": "cve", "title": "CVE-2021-3064", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2021-11-15T16:18:00", "cpe": [], "id": "CVE-2021-3064", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3064", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "prion": [{"lastseen": "2023-08-16T03:04:08", "description": "A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T17:15:00", "type": "prion", "title": "PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2021-11-15T16:18:00", "id": "PRION:CVE-2021-3064", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-3064", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:07", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiCU-mHlg6ZefClFzjJz9LB8St0b20UtQjwgAWzr_XDVa1QawFHoi6IKxxhaCyyvBLc7IIvzdOtZLfSIvMMZcaqKalvv8EizyNDc-7EsHFvMc_bvG5ztqP23PI5l16iz6a6SbzLQC2cGj09XJQHhFfAYP1gQslPUVMAsmwYiYluUeYlJ_h92dXXCubc>)\n\nA new zero-day vulnerability has been disclosed in Palo Alto Networks GlobalProtect VPN that could be abused by an unauthenticated network-based attacker to execute arbitrary code on affected devices with root user privileges.\n\nTracked as CVE-2021-3064 (CVSS score: 9.8), the security weakness impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Massachusetts-based cybersecurity firm Randori has been credited with discovering and reporting the issue.\n\n\"The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow,\" Randori researchers [said](<https://www.randori.com/blog/cve-2021-3064/>). \"Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products.\"\n\nHowever, in a troubling turn of events, the company said it used this exploit as part of its red team engagements for nearly 10 months before disclosing it to Palo Alto Networks in late September 2021. Technical details related to CVE-2021-3064 have been withheld for 30 days to prevent threat actors from abusing the vulnerability to stage real-world attacks.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEilFMcajwZHFBEC8uB9M9A4I32c9yO3_wwVQ69PxZDPWv9jMnSPyvNoXzwgw31zCD1hkpcjyjrOmWJmP4b9M47x0zkmRNzjitk_2QbpDag22tHhgUZRGn-Clpjw2yOLyFBNgBc8GLhPMs4Ym4-13ScCGihUepRQGJL4N3Fxrj0t2u5nAEI2Q7Edis7Q>)\n\nThe security bug stems from a buffer overflow that occurs while parsing user-supplied input. Successful exploitation of the flaw necessitates that the attacker strings it with a technique known as [HTTP smuggling](<https://thehackernews.com/2021/09/haproxy-found-vulnerable-to-critical.html>) to achieve remote code execution on the VPN installations, not to mention have network access to the device on the GlobalProtect service default port 443.\n\n\"A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges,\" Palo Alto Networks [said](<https://security.paloaltonetworks.com/CVE-2021-3064>) in an independent advisory. \"The attacker must have network access to the GlobalProtect interface to exploit this issue.\"\n\nIn light of the fact that VPN devices are [lucrative targets](<https://thehackernews.com/2021/06/north-korea-exploited-vpn-flaw-to-hack.html>) for malicious actors, it's highly recommended that users move quickly to patch the vulnerability. As a workaround, Palo Alto Networks is advising affected organizations to enable threat signatures for identifiers 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to prevent any potential attacks against CVE-2021-3064.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T06:35:00", "type": "thn", "title": "Palo Alto Warns of Zero-Day Bug in Firewalls Using GlobalProtect Portal VPN", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2021-11-15T05:16:07", "id": "THN:115BB605995BDAD971C6060FB3E704ED", "href": "https://thehackernews.com/2021/11/palo-alto-warns-of-zero-day-bug-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-11-26T17:20:32", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/A-zero-day-vulnerability-has-been-discovered-in-PANs-GlobalProtect-firewall_TA202148-1.pdf>)\n\nPalo Alto Networks (PAN) released an update on November 10, 2021, that patched CVE-2021-3064, which was discovered and disclosed by Randori. This vulnerability affects PAN firewalls that use the GlobalProtect Portal VPN, and it allows for unauthenticated remote code execution on susceptible product installations. The vulnerability affects all versions of PAN-OS 8.1 prior to 8.1.17, and Randori has discovered over 10,000 vulnerable instances on internet-facing assets.\n\nThe CVE-2021-3064 vulnerability is a buffer overflow that occurs while parsing user-supplied information into a fixed-length position on the stack. Without using an HTTP smuggling approach, the troublesome code is not accessible from the outside world. An unauthenticated network-based attacker can disrupt system operations and potentially execute arbitrary code with root privileges by exploiting a memory corruption vulnerability in Palo Alto Networks GlobalProtect portal and gateway interfaces. To exploit this vulnerability, the attacker must have network access to the GlobalProtect interface.\n\nAn attacker must have network access to the device on the GlobalProtect service port(default port 443) in order to exploit this issue. This port is frequently accessible over the Internet since the impacted product is a VPN portal. Exploitation is challenging but not impossible on devices that have ASLR enabled. Due to the lack of ASLR on virtualized devices, exploitation is considerably easier.\n\nOrganizations can mitigate this vulnerability as follows: \n1\\. A patch issued by the PAN should be used.(Link below) \n2\\. PAN has also made Threat Prevention signatures 91820 and 91855 accessible for use by organizations to avoid exploitation until a software upgrade is scheduled. \n3\\. Organizations that do not use the PAN firewall's VPN features should immediately disable GlobalProtect.\n\n#### Vulnerability Details\n\n\n\n#### Patch Link\n\n<https://security.paloaltonetworks.com/CVE-2021-3064>\n\n#### References\n\n<https://www.randori.com/blog/cve-2021-3064/>\n\n<https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-14T10:42:39", "type": "hivepro", "title": "A zero-day vulnerability has been discovered in PAN\u2019s GlobalProtect firewall", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2021-11-14T10:42:39", "id": "HIVEPRO:28DAB1D4FF2A121B74937B923A1D44B9", "href": "https://www.hivepro.com/a-zero-day-vulnerability-has-been-discovered-in-pans-globalprotect-firewall/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T17:20:32", "description": "#### Outline\n\nPalo Alto Networks (PAN) released an update on November 10, 2021, that patched CVE-2021-3064, which was discovered and disclosed by Randori. This vulnerability affects PAN firewalls that use the GlobalProtect Portal VPN, and it allows for unauthenticated remote code execution on susceptible product installations. The vulnerability affects all versions of PAN-OS 8.1 prior to 8.1.17, and Randori has discovered over 10,000 vulnerable instances on internet-facing assets.\n\n#### Disclosure Timeline\n\n \n\n\n\n#### Technical Overview\n\nThe researchers were able to successfully exploit the following systems that have GlobalProtect enabled and accessible:\n\n * Palo Alto Networks PA-5220 \n * PAN-OS 8.1.16\n * ASLR enabled in firmware for this device\n * Palo Alto Networks PA-VM \n * PAN-OS 8.1.15\n * ASLR disabled in firmware for this device\n\n#### Vulnerability & Exploit Details\n\nThe CVE-2021-3064 vulnerability is a buffer overflow that occurs while parsing user-supplied information into a fixed-length position on the stack. Without using an HTTP smuggling approach, the troublesome code is not accessible from the outside world. An unauthenticated network-based attacker can disrupt system operations and potentially execute arbitrary code with root privileges by exploiting a memory corruption vulnerability in Palo Alto Networks GlobalProtect portal and gateway interfaces. To exploit this vulnerability, the attacker must have network access to the GlobalProtect interface.\n\nAn attacker must have network access to the device on the GlobalProtect service port(default port 443) in order to exploit this issue. This port is frequently accessible over the Internet since the impacted product is a VPN portal. Exploitation is challenging but not impossible on devices that have ASLR enabled. Due to the lack of ASLR on virtualized devices, exploitation is considerably easier.\n\n#### Mitigation and Patch Information\n\n 1. A patch issued by the PAN should be used.\n 2. PAN has also made Threat Prevention signatures 91820 and 91855 accessible for use by organizations to avoid exploitation until a software upgrade is scheduled.\n 3. Organizations that do not use the PAN firewall's VPN features should immediately disable GlobalProtect.\n\n#### References\n\nRandori Report - <https://www.randori.com/blog/cve-2021-3064/>\n\nPalo Alto Networks Security Advisory- <https://security.paloaltonetworks.com/CVE-2021-3064>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-15T12:18:52", "type": "hivepro", "title": "Randori discovered Zero-day in Palo Alto\u2019s GlobalProtect Firewall, affecting ~10,000 assets.", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2021-11-15T12:18:52", "id": "HIVEPRO:BED8EF5B5E2D49B945369D9DB342D717", "href": "https://www.hivepro.com/randori-discovered-zero-day-in-palo-altos-globalprotect-firewall/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2023-05-27T14:58:45", "description": "A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.\n\n**Work around:**\nEnable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against CVE-2021-3064.\n\nIt is not necessary to enable SSL decryption to detect and block attacks against this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T17:00:00", "type": "paloalto", "title": "PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2021-11-10T17:00:00", "id": "PA-CVE-2021-3064", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2021-3064", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:35:30", "description": "The version of Palo Alto Networks PAN-OS running on the remote host is 8.1.x prior to 8.1.17. It is, therefore, affected by a memory corruption vulnerability. This vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-12T00:00:00", "type": "nessus", "title": "Palo Alto Networks PAN-OS 8.1.x < 8.1.17 Memory Corruption", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3064"], "modified": "2022-05-26T00:00:00", "cpe": ["cpe:/o:paloaltonetworks:pan-os"], "id": "PALO_ALTO_CVE-2021-3064.NASL", "href": "https://www.tenable.com/plugins/nessus/155307", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155307);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/26\");\n\n script_cve_id(\"CVE-2021-3064\");\n script_xref(name:\"IAVA\", value:\"2021-A-0552-S\");\n\n script_name(english:\"Palo Alto Networks PAN-OS 8.1.x < 8.1.17 Memory Corruption\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PAN-OS host is affected by a memory corruption vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Palo Alto Networks PAN-OS running on the remote host is 8.1.x prior to 8.1.17. It is, therefore, affected\nby a memory corruption vulnerability. This vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway \ninterfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute\narbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit \nthis issue.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.paloaltonetworks.com/CVE-2021-3064\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/121.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PAN-OS 8.1.17 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3064\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(121);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/12\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\", \"Host/Palo_Alto/Firewall/Source\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvcf::palo_alto::initialize();\n\nvar app_name = 'Palo Alto Networks PAN-OS';\n\nvar app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Palo_Alto/Firewall/Full_Version', kb_source:'Host/Palo_Alto/Firewall/Source');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar constraints = [\n { 'min_version' : '8.1.0', 'fixed_version' : '8.1.17' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-01-21T21:09:11", "description": "The number of exposed assets keeps climbing, but existing security strategies aren\u2019t keeping up. Attack surfaces are getting more complex, and the excruciatingly hard part is figuring out where to focus. For every 1,000 assets on an attack surface, there is often only one that\u2019s truly interesting to an attacker. But how is a defender supposed to know which one that is?\n\nThis becomes especially difficult in the wake of[ Log4j](<https://www.randori.com/log4j/>). Even [Jen Easterly](<https://twitter.com/CISAJen/status/1470542712394989574>) made a point to remind people that enumerating what\u2019s on your attack surface is a key way to mitigate a Log4j incident.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/01/21151630/Untitled.png>)\n\nI\u2019m a pretty busy person, so I\u2019m always seeking out the path of least resistance \u2014 as are most attackers. We have to operate within limited budgets, and our technical capabilities have an upper bound \u2014 we\u2019re not magicians. This is where flipping your perspective will help not only identify what\u2019s exposed on your attack surface, but also what\u2019s most likely to be targeted by an attacker. I guarantee it will dramatically improve your team\u2019s efficiency, reduce overall risk and ensure you\u2019re always focused on the highest value assets first.\n\n[Randori](<https://www.randori.com/ebooks/2021-attack-surface-report-the-internets-most-tempting-targets/>) spent some time researching what internet-exposed software is most tempting to an attacker\u2014we use six attributes we assess to determine a piece of software\u2019s Temptation Score: enumerability, exploitability, criticality, applicability, post-exploitation potential, and research potential. Using some math and fancy algorithms we end up with a \u201cTarget Temptation\u201d Score\u2014basically calculating the attackability of an internet-facing asset.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/01/21151624/Untitled-1.png>)\n\nUsing these assessments, we created a list of some of the more juicy targets we see on the web, and why.\n\n## Temptation Roll Call\n\n**Anything known to be using Log4j.** Log4j took the security community by storm as it\u2019s one of the most widely used pieces of third-party code and extremely easy to exploit. Our attack team had an exploit within the hour, and was able to use it in live [VMware environments](<https://www.randori.com/blog/vmsa-2021-0028-vmware-log4shell-impact-remediations/>) the same day. Even though the security community rallied as fast as it could to apply patches and remediation strategies, there are likely some services still running vulnerable code. Because it\u2019s so easy to exploit and new variations of the Log4Shell vulnerability are likely to emerge, it\u2019s going to rank high on any attacker\u2019s list.\n\n**VPNs, my personal favorite.** VPNs are known to protect things of value, making them intrinsically interesting, yet they are often unpatched, misconfigured and not well protected. One cannot install any software on a VPN to defend it. If an attacker exploits this one device, they can reach out to additional devices it was protecting. They are known to be [targets for exploitation](<https://www.randori.com/blog/cve-2021-3064/>) too; in fact we discovered a [9.8 CVE on Palo Alto\u2019s Global Protect product](<https://www.randori.com/blog/cve-2021-3064/>).\n\n**Older versions of Solarwinds.** Despite all the attention on SolarWinds, one in 15 organizations appear to be running vulnerable versions of the software. Attackers likely put it top of their list because 1) there is a known exploit; 2) Solarwinds is typically a mission-critical technology for a business that could give an attacker privileged access; and 3) it\u2019s widely used. One exploit could be used against many.\n\n**Old versions of Microsoft IIS 6.** [Microsoft IIS](<https://www.iis.net/>) 6 has NOT been supported for more than half a decade. That\u2019s right, half a decade! Attackers love old exposed software that is no longer supported. Our data shows 15 percent of companies have at least one instance of IIS 6 exposed online. Microsoft\u2019s IIS version 6 is associated with Windows 2003, and Microsoft stopped supporting it in 2015. In 2015! With lots of known public weaknesses and high applicability, IIS 6 is something some might assume is a honeypot, but an attacker knows better\u2014it\u2019s a juicy target.\n\n**Older versions of Microsoft OWA.** Microsoft\u2019s Outlook Web Access (OWA) is a very widely used solution with lots and lots of publicly known CVEs. Remember the [Windows Exchange breach from last year](<https://borncity.com/win/2021/03/03/exchange-server-0-day-exploits-werden-aktiv-ausgenutzt-patchen/>) that impacted 30,000 companies? Despite the risks, many companies continue to have OWA exposed to the internet. [Several known vulnerabilities](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>) can provide attacker\u2019s with remote access and are known to be actively exploited.\n\nAnother thing: The more an attacker knows about a system, the more tempting it is. One aspect that often drives up OWA temptation scores for instance is the use of default settings that expose detailed version information. Services which expose the name, version, and better yet, configuration information, make it easier for an attacker to cross-check to see if there are any known public vulnerabilities or exploits weaponized against that specific version and to confirm if an exploit will land.\n\nPro tip: Always change the default settings so that the version number isn\u2019t publicly visible. If you can\u2019t patch it or upgrade it, at least hide it.\n\n## The Defender\u2019s Move\n\nThere\u2019s a bit of an equation that goes into deciding what the most tempting targets are on an attack surface. While there isn\u2019t an exact list of attributes an adversary uses to determine what to exploit, the logic above is pretty universal among attackers.\n\nNo system will ever be fully secure, but limiting the information attackers can get their hands on out of the gate goes a long way toward taking the wind out of their sails. This means burying the truly crucial information behind so many fail safes that it isn\u2019t worth the effort for an attacker. This can mean adding logging/monitoring, web application firewalls or segmentation to critical assets on an attack surface \u2014 or even taking systems offline entirely if they don\u2019t need to communicate with the internet.\n\nAs always, good ole-fashioned network segmentation and defense in depth will get better results than what you\u2019d be getting otherwise.\n\n**_David \u201cmoose\u201d Wolpoff is CTO at [Randori.](<https://www.randori.com/>)_**\n\n_**Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>).**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-21T21:03:23", "type": "threatpost", "title": "The Internet\u2019s Most Tempting Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3064"], "modified": "2022-01-21T21:03:23", "id": "THREATPOST:D203D198B6B3C197D6DDDA6027B4B3F9", "href": "https://threatpost.com/internet-most-tempting-targets/177869/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-10T22:40:35", "description": "Researchers have developed a working exploit to gain remote code execution (RCE) via a massive vulnerability in a security appliance from Palo Alto Networks (PAN), potentially leaving 10,000 vulnerable firewalls with their goods exposed to the internet.\n\nThe critical zero day, tracked as [CVE 2021-3064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3064>) and scoring a CVSS rating of 9.8 out of 10 for vulnerability severity, is in PAN\u2019s [GlobalProtect firewall](<https://www.paloaltonetworks.com/products/globalprotect>). It allows for unauthenticated RCE on multiple versions of PAN-OS 8.1 prior to 8.1.17, on both physical and virtual firewalls.\n\n111021 14:04 UPDATE: The PAN updates cover versions 9.0 and 9.1, but based on Randori\u2019s research, those versions aren\u2019t vulnerable to this particular CVE. A spokesperson told Threatpost that any updates to non-8.1 versions are likely unrelated to CVE 2021-3064.\n\n111021 17:28 UPDATE: Palo Alto has updated its advisory to clarify that this bug doesn\u2019t affect versions besides PAN-OS 8.1 prior to 8.1.17.\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nRandori researchers said in a [Wednesday post](<https://www.randori.com/blog/cve-2021-3064/>) that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more.\n\nAfter that, attackers can dance across a targeted organization, they said: \u201cOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.\u201d\n\nGoing by a Shodan search of internet-exposed devices, Randori initially believed that there are \u201cmore than 70,000 vulnerable instances exposed on internet-facing assets.\u201d\n\n111021 17:30 UPDATE: Palo Alto Network informed Randori that the number of affected devices is closer to 10,000.\n\nThe Randori Attack Team found the zero day a year ago, developed a working exploit and used it against Randori customers (with authorization) over the past year. Below is the team\u2019s video of the exploit:\n\n## Don\u2019t Panic, But Do Patch\n\nRandori has coordinated disclosure with PAN. On Wednesday, PAN published [an advisory](<https://security.paloaltonetworks.com/CVE-2021-3064>) and an update to patch CVE-2021-3064.\n\nRandori\u2019s also planning to release more technical details on Wednesday, \u201conce the patch has had enough time to soak,\u201d and will issue updates at [@RandoriAttack](<https://twitter.com/Randoriattack>) on Twitter, according to its writeup.\n\nWhile Randori is setting aside 30 days before releasing yet more detailed technical information that it usually provides in its attack notes \u2013 a grace period for customers to patch or upgrade \u2013 it did give some higher-level details.\n\n## Vulnerability Chain Details\n\nRandori said that CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. To get to the problematic code, attackers would have to use an HTTP smuggling technique, researchers explained. Otherwise, it\u2019s not reachable externally.\n\nHTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users.\n\nThese kinds of vulnerabilities are often critical, as they allow an attacker to bypass security controls, gain unauthorized access to sensitive data and directly compromise other application users. A recent example was [a bug](<https://threatpost.com/ibm-critical-remote-code-execution-flaw/164187/>) that cropped up in February in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side and networking applications that\u2019s used in IBM Planning Analytics.\n\nExploitation of the buffer overflow done in conjunction with HTTP smuggling together yields RCE under the privileges of the affected component on the firewall device, according to Randori\u2019s analysis. The HTTP smuggling wasn\u2019t given a CVE identifier, as Palo Alto Networks doesn\u2019t consider it a security boundary, they explained.\n\nTo exploit the bug, an attacker needs network access to the device on the GlobalProtect service port (default port 443).\n\n\u201cAs the affected product is a VPN portal, this port is often accessible over the Internet,\u201d researchers pointed out.\n\nVirtual firewalls are particularly vulnerable, given that they lack Address Space Layout Randomization (ASLR), the researchers said. \u201cOn devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface.\u201d When it comes to certain hard device versions with [MIPS-based](<https://en.wikipedia.org/wiki/MIPS_architecture_processors>) management plane CPUs, Randori researchers haven\u2019t exploited the buffer overflow to achieve controlled code execution, they said, \u201cdue to their [big endian architecture](<https://www.techtarget.com/searchnetworking/definition/big-endian-and-little-endian#:~:text=Big%2Dendian%20is%20an%20order,the%20sequence\\)%20is%20stored%20first.>).\u201d But they noted that \u201cthe overflow is reachable on these devices and can be exploited to limit availability of services.\u201d\n\nThey referred to PAN\u2019s [VM-Series](<https://www.accyotta.com/palo-alto-networks/pa-vm>) of virtualized firewalls, deployed in public and private cloud computing environments and powered by VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft and Google as perimeter gateways, IPSec VPN termination points and segmentation gateways. PAN describes the firewalls as being designed to prevent threats from moving from workload to workload.\n\nRandori said that the bug affects firewalls running the 8.1 series of PAN-OS with GlobalProtect enabled (specifically, as noted above, versions < 8.1.17). The company\u2019s red-team researchers have proved exploitation of the vulnerability chain and attained RCE on both physical and virtual firewall products.\n\nThere\u2019s no public exploit code available \u2013 yet \u2013 and there are both PAN\u2019s patch and threat prevention signatures available to block exploitation, Randori said.\n\n## Exploit Code Sure to Follow\n\nRandori noted that public exploit code will likely surface, given what tasty targets VPN devices are for malicious actors.\n\nRandori CTO David \u201cmoose\u201d Wolpoff has written for Threatpost, explaining why [he loves breaking into security appliances](<https://threatpost.com/breaking-into-security-appliances/167584/>) and VPNs: After all, they present one convenient lock for attackers to pick, and then presto, they can invade an enterprise.\n\nThe Colonial Pipeline ransomware attack is a case in point, Wolpoff recently wrote: As Colonial\u2019s CEO told a Senate committee in June ([PDF](<https://www.hsgac.senate.gov/imo/media/doc/Testimony-Blount-2021-06-08.pdf>)), attackers were able to compromise the company through a legacy VPN account.\n\n\u201cThe account lacked multi-factor authentication (MFA) and wasn\u2019t in active use within the business,\u201d Wolpoff noted. It\u2019s \u201ca scenario unlikely to be unique to the fuel pipeline,\u201d he added.\n\n## How Palo Alto Customers Can Mitigate the Threat\n\nPatching as soon as possible is of course the top recommendation, but Randori offered these mitigation options if that\u2019s not doable:\n\n * Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against this vulnerability.\n * If you don\u2019t use the GlobalProtect VPN portion of the Palo Alto firewall, disable it.\n * For any internet-facing application: \n * Disable or remove any unused features\n * Restrict origin IPs allowed to connect to services\n * Apply layered controls (such as WAF, firewall, access controls, segmentation)\n * Monitor logs and alerts from the device\n\n## The \u2018Bigger Story\u2019: Ethically Using a Zero Day\n\nRandori pointed out that Wolpoff has blogged about [why zero-days are essential to security](<https://www.randori.com/blog/why-zero-days-are-essential-to-security/>), and the Palo Alto Networks zero day is a prime example.\n\n\u201cAs the threat from zero-days grows, more and more organizations are asking for realistic ways to prepare for and train against unknown threats, which translates to a need for ethical use of zero-days,\u201d the researchers said in their writeup. \u201cWhen a defender is unable to patch a flaw, they must rely on other controls. Real exploits let them validate those controls, and not simply in a contrived manner. Real exploits let customers scrimmage against the same class of threats they are already facing.\u201d\n\n111021 13:13 UPDATE: Fixed incorrect link to [Randori\u2019s writeup](<https://www.randori.com/blog/cve-2021-3064/>).\n\nImage courtesy of [Wikipedia](<https://en.wikipedia.org/wiki/Palo_Alto_Networks>).\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d a LIVE, interactive conversation with Eric Kaiser, Uptycs\u2019 senior security engineer, about how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com_**](<mailto:becky.bracken@threatpost.com>)**_._**\n", "cvss3": {}, "published": "2021-11-10T17:00:35", "type": "threatpost", "title": "Massive Zero-Day Hole Found in Palo Alto Security Appliances", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-3063", "CVE-2021-3064"], "modified": "2021-11-10T17:00:35", "id": "THREATPOST:03052371F383A20C440079DD064A666F", "href": "https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/", "cvss": {"score": 0.0, "vector": "NONE"}}], "trellix": [{"lastseen": "2021-11-30T00:00:00", "description": "# The Bug Report \u2014 November 2021 Edition\n\nBy Mark Bereza \u00b7 November 30, 2021\n\n## Your Cybersecurity Comic Relief\n\n CVE-2021-20322: Of all the words of mice and men, the saddest are, \u201cit was DNS again.\u201d \n\n\n## Why am I here?\n\nFor all our newcomers, welcome to the Advanced Threat Research team\u2019s monthly bug report \u2013 a digest of all the latest and greatest vulnerabilities from the last 30-ish days based on merits just a tad more nuanced than sorting NVD by \u201cCVSS > 9.0.\u201d Instead, we focus on qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team.\n\nTo those who are returning after having read last month\u2019s issue, I would like to congratulate you for being a Bug Report fan before it was cool \u2013 which it now most assuredly is, thanks in no small part to a litany of fascinating vulnerabilities. We encourage our veterans to stick around as long as possible, so that a year from now you can complain about how we\u2019re washed up and how much better our early editions were.\n\n * PAN GlobalProtect VPN: CVE-2021-3064\n * Linux Kernel: CVE-2021-20322\n * Just About All DRAM: CVE-2021-42114 aka Blacksmith\n \n\n\n## CPAN GlobalProtect VPN: CVE-2021-3064\n\n### What is it?\n\nPalo Alto Networks (PAN) firewalls that use its GlobalProtect Portal VPN running PAN-OS versions older than 8.1.17 are vulnerable to a cutting-edge, state-of-the-art style of vulnerability known as a \u201cstack-based buffer overflow.\u201d Although the vulnerable code is normally not reachable, when combined with an HTTP smuggling vulnerability, CVE-2021-3064 can be used to gain **remote code execution, a remote shell, and even access to sensitive configuration data** [according to Randori Attack Team researchers](<https://www.randori.com/blog/cve-2021-3064/>). Randori discovered the vulnerability over a year ago but chose not to disclose it to PAN until September of this year, using it as part of its \u201ccontinuous and automated red team platform\u201d during the interim \u2013 I suppose we should be thankful that PAN has claimed in [its security advisory](<https://security.paloaltonetworks.com/CVE-2021-3064>) that no evidence of exploitation of this vuln has been discovered, despite its age.\n\n### Who cares?\n\nAbsence of \u201cin-the-wild\u201d exploitation aside, we should also be grateful that the number of people who should care is rapidly dwindling (an ever-present theme of 2021). Randori initially reported over 70,000 internet-accessible PAN firewalls running vulnerable versions of PAN-OS [according to Shodan](<https://www.shodan.io/search/facet?query=http.html%3A%22Global+Protect%22&facet=os>), which it later amended to 10,000. As of this writing, that number has fallen to around 7,000. Even so, **7,000 vulnerable firewalls** mean an even larger number of vulnerable clients at risk of an over-the-internet attack vector requiring zero authentication. Those connecting to PAN firewalls running on VMs have even greater cause for concern as these **lack** [ASLR](<https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR>), a factoid I have chosen to add to my ever-growing \u201cwhy is that a thing\u201d list, right next to the Ghostbusters remake.\n\n### What can I do?\n\nWe suggest an experiment: open the Shodan search linked above and note the total number of devices running a vulnerable version of PAN-OS. Next, call up whoever manages your firewall and demand they power it down immediately \u2013 use threats if you must. Check the Shodan scan again: has the number gone down? If so, it\u2019s probably time to update. If you\u2019re an Arch user and the prospect of updating terrifies you, Palo Alto has also indicated that its signatures for **Unique Threat IDs 91820 and 91855** should block exploitation of CVE-2021-3064.\n\n### The Gold Standard\n\nBe sure to stay up to date on the latest CVEs \u2013 our [security bulletins](<https://www.mcafee.com/enterprise/en-us/threat-center/product-security-bulletins.html>) are a great resource for finding product information for all kinds of critical vulnerabilities.\n\n \n\n\n## Linux Kernel: CVE-2021-20322\n\n### What is it?\n\nResearchers at the University of California, Riverside have discovered a flaw in the way the Linux kernel handles \u201cICMP fragment needed\u201d and \u201cICMP redirect\u201d errors, allowing an attacker to quickly learn the randomized port number assigned to a UDP socket. What this description fails to convey is the big picture impact of this vulnerability, which is its use as a side-channel for the now-prehistoric DNS cache poisoning attack, in which an off-path malicious actor \u2018poisons\u2019 a DNS resolver\u2019s cache with a false record, mapping a known domain (google.com) to an IP address of their choosing ([98.136.144.138](<http://98.136.144.138/>)). Truly nefarious.\n\n### Who cares?\n\nTo be frank, just about everyone should be at least raising an eyebrow at this one. Although the researchers have indicated in [their whitepaper](<https://www.cs.ucr.edu/~zhiyunq/pub/ccs21_dns_poisoning.pdf>) that this particular side-channel only **affects about 13.85% of open resolvers** on the internet, it\u2019s important to note that various security services rely on proof of domain ownership, including even the issuing of certificates, making the impact tremendous. Users of popular DNS service Quad9 have particular cause for concern, as the paper claims it falls under the vulnerable 13.85%. Linux users should also be concerned, and not just because their drivers refuse to work \u2013 **DNS software such as BIND, Unbound, and dnsmasq** running on their platform of choice are also vulnerable.\n\n### What can I do?\n\nThis is where things get tricky. DNS extensions that were standardized over two decades ago, such as DNSSEC and DNS cookies, should successfully mitigate this and all other DNS cache poisoning attack side channels. The unfortunate reality is that these features see very limited adoption due to backwards-compatibility concerns. While we wait for these dinosaurs holding back progress to die out, the authors of the aforementioned whitepaper have suggested some alternative mitigations, including **enabling the IP_PMTUDISC_OMIT socket option**, introducing additional randomization to the structure of the DNS exception cache, and configuring DNS servers with a singular default gateway to outright **reject ICMP redirects**. Further details can be found in section 8.4 of their paper.\n\n### The Gold Standard\n\nUnfortunately, not every vulnerability can be adequately addressed by network security products, and this vulnerability happens to be one of those cases. Your best bet is to follow the mitigations mentioned above and keep your servers up to date.\n\n \n\n\n## Just About All DRAM: CVE-2021-42114 aka Blacksmith\n\n### What is it?\n\nBlacksmith, a name referring to both the vulnerability and the fuzzer created to exercise it, is a new implementation of the [Rowhammer](<https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf>) DRAM hardware vulnerability from 2014. The crux of Rowhammer is the use of high frequency read operations to induce bit flips in neighboring regions of physical memory, which can lead to the crossing of any security barrier if the attacker can massage memory so that critical data is stored in a vulnerable physical page. Modern DRAM hardware uses a technology called Target Row Refresh (TRR) to prematurely refresh regions of physical memory targeted by common Rowhammer attacks. Researchers at ETH Zurich and their associates discovered that TRR exploits the uniform nature of memory accesses used by existing Rowhammer attacks to \u201ccatch\u201d them, and so devised a Rowhammer attack that used non-uniform accesses, arriving at CVE-2021-42114, which **bypasses TRR and all other modern Rowhammer mitigations**.\n\n### Who cares?\n\nEveryone. Just about every common electronic device you can think of uses DRAM and of [the DIMMs (RAM sticks) tested](<https://comsec.ethz.ch/research/dram/blacksmith/>), **the researchers did not find a single one that was completely safe**. It might be easy to presume that hardware vulnerabilities such as this are academically fascinating but have little real-world impact, but research published since 2014 has shown Rowhammer attacks successfully [escape JavaScript containers](<https://comsec.ethz.ch/research/dram/smash/>) in the browser, [cross VM boundaries](<https://comsec.ethz.ch/wp-content/files/flip-feng-shui_sec16.pdf>) in the cloud, and even [achieve RCE](<https://comsec.ethz.ch/wp-content/files/throwhammer_atc18.pdf>) across networks with high enough throughput. Perhaps the greatest tragedy of Blacksmith is that it arrived a month too late \u2013 it would have fit in perfectly with Halloween monsters like Freddy Krueger or Jason Voorhees who also see new iterations every few years and refuse to stay dead.\n\n### What can I do?\n\nHide your PC, hide your tablet, and hide your phone, \u2018cause they\u2019re hammerin\u2019 everybody out there. Beyond that, there\u2019s not much to be done besides **wait for [JEDEC](<https://www.jedec.org/>) to develop a fix** and for DRAM manufacturers to begin supplying hardware with the new standard.\n\n### The Gold Standard\n\nWe at McAfee Enterprise are doing everything in our power to address this critical vulnerability. In other words, we\u2019ll be waiting for that JEDEC fix right along with you.\n", "cvss3": {}, "published": "2021-11-30T00:00:00", "type": "trellix", "title": "The Bug Report November 2021 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-20322", "CVE-2021-3064", "CVE-2021-42114"], "modified": "2021-11-30T00:00:00", "id": "TRELLIX:39F2C513984A5BB7A3E14C8FB15CED7C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-november-2021-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}]}
Palo Alto Networks Release Security Updates for PAN-OS
