Event Summary
Palo Alto Networks (PAN) has released a security advisory regarding a critical vulnerability in PAN-OS firewall configurations with GlobalProtect portal or gateway enabled. Threat actors can take advantage of this memory corruption vulnerability to perform unauthenticated remote code execution (RCE) on vulnerable devices. Palo Alto has provided a fixed version and is currently unaware of any malicious exploits at this time.
Details
CVE-2021-3064 – Palo Alto Networks Security Advisory
This vulnerability formed through a chain of events that included HTTP smuggling and buffer overflow weaknesses due to user-supplied input.
In order to exploit this weakness, a threat actor must have network access to the GlobalProtect service port, which by default is HTTPS port TCP/443.
To confirm if GlobalProtect portal or gateway is enabled, check for entries in ‘Network > GlobalProtect > Portals’ and in ‘Network > GlobalProtect > Gateways’ from the web interface.
Affected Versions:
PAN-OS 8.1 prior to version 8.1.17
Recommendations and Mitigations
Palo Alto Networks has issued a fix available with PAN-OS 8.1.17 and all later PAN-OS versions.
PAN has also provided Threat Prevention Signatures, 91820 and 91855, that can be enabled to prevent exploitation until organizations are able to patch any affected systems.
We recommend that organizations not using the VPN capabilities as part of their firewalls to disable GlobalProtect.
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. At this time SOD recommends applying all vendor provided patches.
If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.
Resources
Palo Alto Security Advisory – Vendor advisory and guidance
Randori Zero-Day Disclosure – Palo Alto Networks GlobalProtect VPN CVE-2021-3064
CVE-2021-3064 – MITRE CVE Disclosure