By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Critical RCE Vulnerability in Palo Alto Global Protect Firewall Affects Estimated 10,000 VPNs

Randori, a red team cybersecurity company, officially disclosed a zero-day memory corruption vulnerability within the Palo Alto Global Protect infrastructure, specifically PAN-OS. While there are no indicators of exploitation in the wild as of this writing, the 9.8 CVSS given to CVE-2021-3064 represents a significant threat for corporate networks.

What’s the nature of the vulnerability?

For a threat actor with network access to the PAN GlobalProtect Interface, it is possible to enable remote code execution (RCE) with root privileges via HTTP smuggling and a buffer overflow. This can be executed on the default GlobalProtect service port (443), which can further complicate detection due to the high amount of valid traffic on port 443.

While devices with or without Address Space Layout Randomization (ASLR) are susceptible, Randori researchers noted that virtualized devices (VM-series firewalls) are particularly vulnerable to this due to the lack of ASLR utilization.

What’s at risk?

Palo Alto notes that, due to the characteristics of the attack, there are no reliable Indicators of Compromise (IoC) to utilize for detection. Randori researchers also disclosed that they were able to leverage the vulnerability in order to establish persistence, discover and extract sensitive data and credentials, and, critically, gain control over the firewall to enable full visibility of the network for lateral movement.

Affected Applications/Versions:
VersionsAffectedUnaffected
Prisma Access 2.2NoneAll
Prisma Access 2.1NoneAll
PAN-OS 10.1None10.1.*
PAN-OS 10.0None10.0.*
PAN-OS 9.1None9.1.*
PAN-OS 9.0None9.0.*
PAN-OS 8.1< 8.1.17>= 8.1.17
Palo Alto products affected by CVE-2021-3064

The Randori Attack team successfully exploited the following systems with GlobalProtect enabled and accessible:

  • Palo Alto Networks PA-5220
    • PAN-OS 8.1.16
    • ASLR enabled in firmware for this device
  • Palo Alto Networks PA-VM
    • PAN-OS 8.1.15
    • ASLR disabled in firmware for this device

What can I do?

Upgrade as soon as possible. This issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions.

Threat Prevention Signatures (ID 91820 & 91855) are also available.




Resources

Massive Zero-Day Hole Found in Palo Alto Security Appliances
https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/

Zero-Day Disclosure: Palo Alto Networks GlobalProtect VPN CVE-2021-3064
https://www.randori.com/blog/cve-2021-3064/

CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces
https://security.paloaltonetworks.com/CVE-2021-3064

CVE 2021-3064
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3064

Previous Post

High-Priority, Actively-Exploited Vulnerabilities Patched in Exchange and Excel

Next Post

A Threat Hunting Primer