Palo Alto Networks OS Memory Corruption Vulnerability

Event Summary

Palo Alto Networks (PAN) has released a security advisory regarding a critical vulnerability in PAN-OS firewall configurations with GlobalProtect portal or gateway enabled.  Threat actors can take advantage of this memory corruption vulnerability to perform unauthenticated remote code execution (RCE) on vulnerable devices. Palo Alto has provided a fixed version and is currently unaware of any malicious exploits at this time.

Details

CVE-2021-3064 – Palo Alto Networks Security Advisory

This vulnerability formed through a chain of events that included HTTP smuggling and buffer overflow weaknesses due to user-supplied input.

In order to exploit this weakness, a threat actor must have network access to the GlobalProtect service port, which by default is HTTPS port TCP/443.

To confirm if GlobalProtect portal or gateway is enabled, check for entries in ‘Network > GlobalProtect > Portals’ and in ‘Network > GlobalProtect > Gateways’ from the web interface.

Affected Versions:

PAN-OS 8.1 prior to version 8.1.17

Recommendations and Mitigations

Palo Alto Networks has issued a fix available with PAN-OS 8.1.17 and all later PAN-OS versions.

PAN has also provided Threat Prevention Signatures, 91820 and 91855, that can be enabled to prevent exploitation until organizations are able to patch any affected systems.

We recommend that organizations not using the VPN capabilities as part of their firewalls to disable GlobalProtect.

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. At this time SOD recommends applying all vendor provided patches.

If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.

Resources

Palo Alto Security Advisory – Vendor advisory and guidance

Randori Zero-Day Disclosure – Palo Alto Networks GlobalProtect VPN CVE-2021-3064

CVE-2021-3064 – MITRE CVE Disclosure