CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
66.1%
Researchers have developed a working exploit to gain remote code execution (RCE) via a massive vulnerability in a security appliance from Palo Alto Networks (PAN), potentially leaving 10,000 vulnerable firewalls with their goods exposed to the internet.
The critical zero day, tracked as CVE 2021-3064 and scoring a CVSS rating of 9.8 out of 10 for vulnerability severity, is in PANâs GlobalProtect firewall. It allows for unauthenticated RCE on multiple versions of PAN-OS 8.1 prior to 8.1.17, on both physical and virtual firewalls.
111021 14:04 UPDATE: The PAN updates cover versions 9.0 and 9.1, but based on Randoriâs research, those versions arenât vulnerable to this particular CVE. A spokesperson told Threatpost that any updates to non-8.1 versions are likely unrelated to CVE 2021-3064.
111021 17:28 UPDATE: Palo Alto has updated its advisory to clarify that this bug doesnât affect versions besides PAN-OS 8.1 prior to 8.1.17.
Register now for our LIVE event!
Randori researchers said in a Wednesday post that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more.
After that, attackers can dance across a targeted organization, they said: âOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.â
Going by a Shodan search of internet-exposed devices, Randori initially believed that there are âmore than 70,000 vulnerable instances exposed on internet-facing assets.â
111021 17:30 UPDATE: Palo Alto Network informed Randori that the number of affected devices is closer to 10,000.
The Randori Attack Team found the zero day a year ago, developed a working exploit and used it against Randori customers (with authorization) over the past year. Below is the teamâs video of the exploit:
https://vital.wistia.com/medias/ht539sderu
Randori has coordinated disclosure with PAN. On Wednesday, PAN published an advisory and an update to patch CVE-2021-3064.
Randoriâs also planning to release more technical details on Wednesday, âonce the patch has had enough time to soak,â and will issue updates at @RandoriAttack on Twitter, according to its writeup.
While Randori is setting aside 30 days before releasing yet more detailed technical information that it usually provides in its attack notes â a grace period for customers to patch or upgrade â it did give some higher-level details.
Randori said that CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. To get to the problematic code, attackers would have to use an HTTP smuggling technique, researchers explained. Otherwise, itâs not reachable externally.
HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users.
These kinds of vulnerabilities are often critical, as they allow an attacker to bypass security controls, gain unauthorized access to sensitive data and directly compromise other application users. A recent example was a bug that cropped up in February in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side and networking applications thatâs used in IBM Planning Analytics.
Exploitation of the buffer overflow done in conjunction with HTTP smuggling together yields RCE under the privileges of the affected component on the firewall device, according to Randoriâs analysis. The HTTP smuggling wasnât given a CVE identifier, as Palo Alto Networks doesnât consider it a security boundary, they explained.
To exploit the bug, an attacker needs network access to the device on the GlobalProtect service port (default port 443).
âAs the affected product is a VPN portal, this port is often accessible over the Internet,â researchers pointed out.
Virtual firewalls are particularly vulnerable, given that they lack Address Space Layout Randomization (ASLR), the researchers said. âOn devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface.â When it comes to certain hard device versions with MIPS-based management plane CPUs, Randori researchers havenât exploited the buffer overflow to achieve controlled code execution, they said, âdue to their big endian architecture%20is%20stored%20first.).â But they noted that âthe overflow is reachable on these devices and can be exploited to limit availability of services.â
They referred to PANâs VM-Series of virtualized firewalls, deployed in public and private cloud computing environments and powered by VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft and Google as perimeter gateways, IPSec VPN termination points and segmentation gateways. PAN describes the firewalls as being designed to prevent threats from moving from workload to workload.
Randori said that the bug affects firewalls running the 8.1 series of PAN-OS with GlobalProtect enabled (specifically, as noted above, versions < 8.1.17). The companyâs red-team researchers have proved exploitation of the vulnerability chain and attained RCE on both physical and virtual firewall products.
Thereâs no public exploit code available â yet â and there are both PANâs patch and threat prevention signatures available to block exploitation, Randori said.
Randori noted that public exploit code will likely surface, given what tasty targets VPN devices are for malicious actors.
Randori CTO David âmooseâ Wolpoff has written for Threatpost, explaining why he loves breaking into security appliances and VPNs: After all, they present one convenient lock for attackers to pick, and then presto, they can invade an enterprise.
The Colonial Pipeline ransomware attack is a case in point, Wolpoff recently wrote: As Colonialâs CEO told a Senate committee in June (PDF), attackers were able to compromise the company through a legacy VPN account.
âThe account lacked multi-factor authentication (MFA) and wasnât in active use within the business,â Wolpoff noted. Itâs âa scenario unlikely to be unique to the fuel pipeline,â he added.
Patching as soon as possible is of course the top recommendation, but Randori offered these mitigation options if thatâs not doable:
Randori pointed out that Wolpoff has blogged about why zero-days are essential to security, and the Palo Alto Networks zero day is a prime example.
âAs the threat from zero-days grows, more and more organizations are asking for realistic ways to prepare for and train against unknown threats, which translates to a need for ethical use of zero-days,â the researchers said in their writeup. âWhen a defender is unable to patch a flaw, they must rely on other controls. Real exploits let them validate those controls, and not simply in a contrived manner. Real exploits let customers scrimmage against the same class of threats they are already facing.â
111021 13:13 UPDATE: Fixed incorrect link to Randoriâs writeup.
Image courtesy of Wikipedia.
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for âAn Intro to OSquery and CloudQuery,â a LIVE, interactive conversation with Eric Kaiser, Uptycsâ senior security engineer, about how this open-source tool can help tame security across your organizationâs entire campus.
Register NOWfor the LIVE event and submit questions ahead of time to Threatpostâs Becky Bracken at [email protected].
bit.ly/3wf2vTP
bit.ly/3wf2vTP
cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3064
en.wikipedia.org/wiki/MIPS_architecture_processors
en.wikipedia.org/wiki/Palo_Alto_Networks
security.paloaltonetworks.com/CVE-2021-3064
threatpost.com/breaking-into-security-appliances/167584/
threatpost.com/ibm-critical-remote-code-execution-flaw/164187/
threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA
twitter.com/Randoriattack
www.accyotta.com/palo-alto-networks/pa-vm
www.hsgac.senate.gov/imo/media/doc/Testimony-Blount-2021-06-08.pdf
www.paloaltonetworks.com/products/globalprotect
www.randori.com/blog/cve-2021-3064/
www.randori.com/blog/cve-2021-3064/
www.randori.com/blog/why-zero-days-are-essential-to-security/
www.techtarget.com/searchnetworking/definition/big-endian-and-little-endian#:~:text=Big%2Dendian%20is%20an%20order,the%20sequence)%20is%20stored%20first.
mailto:[email protected]
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
66.1%