Security researchers from Randori have disclosed a new zero-day vulnerability in PAN firewalls using the GlobalProtect Portal VPN. The zero-day is being tracked as CVE-2021-3064 allows for unauthenticated remote code execution. We have created this post to let you know How to Fix CVE-2021-3064- A Memory Corruption Vulnerability in the Palo Alto Networks GlobalProtect portal.
The vulnerability CVE-2021-3064 is a memory corruption vulnerability found in Palo Alto Networks GlobalProtect portal and gateway interfaces. Attackers could perform unauthenticated network-based attacks like arbitrary code execution with root privileges and can disrupt system processes.
Attackers could achieve remote code execution by exploiting two things together: 1. buffer overflow that occurs while parsing user-supplied input on the stack. 2. HTTP smuggling technique which makes problematic code reachable externally.
To perform remote code execution, the attacker must have network access to the GlobalProtect interface (default port 443). In most cases, the GlobalProtect interface is made accessible over the internet because it is a VPN portal. Another notable point is that this vulnerability is easy to exploit on Virtualized appliances due to the lack of ASLR. On the other hand, hardware appliance with ASLR enabled is difficult to exploit but possible.
CVSSv3.1 Base Score | 9.8 |
Description | A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces |
Attack Vector | Network |
Privileges Required | None |
Attack Complexity | Low |
User Interaction | None |
Confidentiality Impact | High |
Integrity Impact | High |
Availability Impact | High |
Multiple versions of PAN-OS 8.1 are affected. Most likely versions prior to 8.1.17. Palo also said that no Prisma Access users are impacted by this issue.
This vulnerability affects only PAN-OS on which GlobalProtect portal or gateway is enabled. You can verify if the GlobalProtect or gateway is enabled by checking for entries in ‘Network > GlobalProtect > Portals’ and in ‘Network > GlobalProtect > Gateways’ from the web interface.
Versions | Affected | Unaffected |
---|---|---|
Prisma Access 2.2 | None | all |
Prisma Access 2.1 | None | all |
PAN-OS 10.1 | None | 10.1.* |
PAN-OS 10.0 | None | 10.0.* |
PAN-OS 9.1 | None | 9.1.* |
PAN-OS 9.0 | None | 9.0.* |
PAN-OS 8.1 | < 8.1.17 | >= 8.1.17 |
The table published by security.paloaltonetworks.com
Palo Alto confirms that the issue is fixed in version PAN-OS 8.1.17 and all later. Organizations who have enabled GlobalProtect portal or gateway on their firewalls are asked to immediately upgrade their PAN-OS to the latest version to fix the CVE-2021-3064 memory corruption vulnerability.
Additionally, for those organizations who can’t apply patches immediately, Palo has released Threat Prevention signatures 91820 & 91855 and asked to enable these signatures on traffic to block attacks against CVE-2021-3064 until you upgrade the PAN-OS.
Organizations that have not configured the GlobalProtect portal or gateway on their firewalls are not affected by this vulnerability. However, it is a good practice to upgrade the PAN-OS to the latest version. Along with that, always keep monitor logs and alerts for any suspected activities, block blocklisted IP addresses and domain names, and configure defense-in-depth such as a web application firewall, segmentation, and access controls.
We hope this post would help you in knowing How to Fix CVE-2021-3064- A Memory Corruption Vulnerability in Palo Alto Networks GlobalProtect portal. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
How To Fix CVE-2022-0028- A Reflected DoS Vulnerability in PAN-OS
How To Fix CVE-2023-27997- A Critical Heap-Based Buffer Overflow Vulnerability in FortiOS?
How To Fix CVE-2022-20796- An Authentication Bypass Vulnerability In Cisco ASA And Cisco FTD
What is Remote Code Execution? How To Prevent Remote Code Execution?
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.