Palo Alto Networks PAN-OS 8.1.x < 8.1.20-h1 / 9.0.x < 9.0.14-h3 / 9.1.x < 9.1.11-h2 / 10.0.x < 10.0.8 / 10.1.x < 10.1.3 Vulnerability

2021-11-1800:00:00

www.tenable.com

The version of Palo Alto Networks PAN-OS running on the remote host is 8.1.x prior to 8.1.20-h1 or 9.0.x prior to 9.0.14-h3 or 9.1.x prior to 9.1.11-h2 or 10.0.x prior to 10.0.8 or 10.1.x prior to 10.1.3. It is, therefore, affected by a vulnerability.

An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN- OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. (CVE-2021-3060)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(155596);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/26");

  script_cve_id("CVE-2021-3060");
  script_xref(name:"IAVA", value:"2021-A-0552-S");

  script_name(english:"Palo Alto Networks PAN-OS 8.1.x < 8.1.20-h1 / 9.0.x < 9.0.14-h3 / 9.1.x < 9.1.11-h2 / 10.0.x < 10.0.8 / 10.1.x < 10.1.3 Vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote PAN-OS host is affected by a vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of Palo Alto Networks PAN-OS running on the remote host is 8.1.x prior to 8.1.20-h1 or 9.0.x prior to
9.0.14-h3 or 9.1.x prior to 9.1.11-h2 or 10.0.x prior to 10.0.8 or 10.1.x prior to 10.1.3. It is, therefore, affected by
a vulnerability.

  - An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-
    OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall
    configuration to execute arbitrary code with root user privileges. The attacker must have network access
    to the GlobalProtect interfaces to exploit this issue. (CVE-2021-3060)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.paloaltonetworks.com/CVE-2021-3060");
  # https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?49150a66");
  # https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?12fb4f34");
  script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/78.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PAN-OS 8.1.20-h1 / 9.0.14-h3 / 9.1.11-h2 / 10.0.8 / 10.1.3 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3060");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(78);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/11/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/11/18");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Palo Alto Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_version.nbin");
  script_require_keys("Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version", "Host/Palo_Alto/Firewall/Source", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

vcf::palo_alto::initialize();

var app_name = 'Palo Alto Networks PAN-OS';

var app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Palo_Alto/Firewall/Full_Version', kb_source:'Host/Palo_Alto/Firewall/Source');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

var constraints = [
  { 'min_version' : '8.1.0', 'fixed_version' : '8.1.20-h1' },
  { 'min_version' : '9.0.0', 'fixed_version' : '9.0.14-h3' },
  { 'min_version' : '9.1.0', 'fixed_version' : '9.1.11-h2' },
  { 'min_version' : '10.0.0', 'fixed_version' : '10.0.8' },
  { 'min_version' : '10.1.0', 'fixed_version' : '10.1.3' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
paloaltonetworkspan-oscpe:/o:paloaltonetworks:pan-os

Vendor	Product	Version	CPE
paloaltonetworks	pan-os		cpe:/o:paloaltonetworks:pan-os

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3060

www.nessus.org/u?12fb4f34

www.nessus.org/u?49150a66

cwe.mitre.org/data/definitions/78.html

security.paloaltonetworks.com/CVE-2021-3060

JSON

Related for PALO_ALTO_CVE-2021-3060.NASL