Randori, a red team cybersecurity company, officially disclosed a zero-day memory corruption vulnerability within the Palo Alto Global Protect infrastructure, specifically PAN-OS. While there are no indicators of exploitation in the wild as of this writing, the 9.8 CVSS given to CVE-2021-3064 represents a significant threat for corporate networks.
What’s the nature of the vulnerability?
For a threat actor with network access to the PAN GlobalProtect Interface, it is possible to enable remote code execution (RCE) with root privileges via HTTP smuggling and a buffer overflow. This can be executed on the default GlobalProtect service port (443), which can further complicate detection due to the high amount of valid traffic on port 443.
While devices with or without Address Space Layout Randomization (ASLR) are susceptible, Randori researchers noted that virtualized devices (VM-series firewalls) are particularly vulnerable to this due to the lack of ASLR utilization.
What’s at risk?
Palo Alto notes that, due to the characteristics of the attack, there are no reliable Indicators of Compromise (IoC) to utilize for detection. Randori researchers also disclosed that they were able to leverage the vulnerability in order to establish persistence, discover and extract sensitive data and credentials, and, critically, gain control over the firewall to enable full visibility of the network for lateral movement.
Affected Applications/Versions:
| Versions | Affected | Unaffected |
|---|---|---|
| Prisma Access 2.2 | None | All |
| Prisma Access 2.1 | None | All |
| PAN-OS 10.1 | None | 10.1.* |
| PAN-OS 10.0 | None | 10.0.* |
| PAN-OS 9.1 | None | 9.1.* |
| PAN-OS 9.0 | None | 9.0.* |
| PAN-OS 8.1 | < 8.1.17 | >= 8.1.17 |
The Randori Attack team successfully exploited the following systems with GlobalProtect enabled and accessible:
- Palo Alto Networks PA-5220
- PAN-OS 8.1.16
- ASLR enabled in firmware for this device
- Palo Alto Networks PA-VM
- PAN-OS 8.1.15
- ASLR disabled in firmware for this device
What can I do?
Upgrade as soon as possible. This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions.
Threat Prevention Signatures (ID 91820 & 91855) are also available.
Resources
Massive Zero-Day Hole Found in Palo Alto Security Appliances
https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/
Zero-Day Disclosure: Palo Alto Networks GlobalProtect VPN CVE-2021-3064
https://www.randori.com/blog/cve-2021-3064/
CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces
https://security.paloaltonetworks.com/CVE-2021-3064
CVE 2021-3064
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3064
