Security researchers from Randori have disclosed a new zero-day vulnerability in PAN firewalls using the GlobalProtect Portal VPN. The zero-day is being tracked as CVE-2021-3064 allows for unauthenticated remote code execution. We have created this post to let you know How to Fix CVE-2021-3064- A Memory Corruption Vulnerability in the Palo Alto Networks GlobalProtect portal.
Table of Contents
Summary Of CVE-2021-3064:
The vulnerability CVE-2021-3064 is a memory corruption vulnerability found in Palo Alto Networks GlobalProtect portal and gateway interfaces. Attackers could perform unauthenticated network-based attacks like arbitrary code execution with root privileges and can disrupt system processes.
Attackers could achieve remote code execution by exploiting two things together: 1. buffer overflow that occurs while parsing user-supplied input on the stack. 2. HTTP smuggling technique which makes problematic code reachable externally.
To perform remote code execution, the attacker must have network access to the GlobalProtect interface (default port 443). In most cases, the GlobalProtect interface is made accessible over the internet because it is a VPN portal. Another notable point is that this vulnerability is easy to exploit on Virtualized appliances due to the lack of ASLR. On the other hand, hardware appliance with ASLR enabled is difficult to exploit but possible.
| CVSSv3.1 Base Score | 9.8 |
| Description | A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces |
| Attack Vector | Network |
| Privileges Required | None |
| Attack Complexity | Low |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Products Vulnerable To CVE-2021-3064:
Multiple versions of PAN-OS 8.1 are affected. Most likely versions prior to 8.1.17. Palo also said that no Prisma Access users are impacted by this issue.
This vulnerability affects only PAN-OS on which GlobalProtect portal or gateway is enabled. You can verify if the GlobalProtect or gateway is enabled by checking for entries in ‘Network > GlobalProtect > Portals’ and in ‘Network > GlobalProtect > Gateways’ from the web interface.
| Versions | Affected | Unaffected |
|---|---|---|
| Prisma Access 2.2 | None | all |
| Prisma Access 2.1 | None | all |
| PAN-OS 10.1 | None | 10.1.* |
| PAN-OS 10.0 | None | 10.0.* |
| PAN-OS 9.1 | None | 9.1.* |
| PAN-OS 9.0 | None | 9.0.* |
| PAN-OS 8.1 | < 8.1.17 | >= 8.1.17 |
How To Fix CVE-2021-3064 This Memory Corruption Vulnerability?
Palo Alto confirms that the issue is fixed in version PAN-OS 8.1.17 and all later. Organizations who have enabled GlobalProtect portal or gateway on their firewalls are asked to immediately upgrade their PAN-OS to the latest version to fix the CVE-2021-3064 memory corruption vulnerability.
Additionally, for those organizations who can’t apply patches immediately, Palo has released Threat Prevention signatures 91820 & 91855 and asked to enable these signatures on traffic to block attacks against CVE-2021-3064 until you upgrade the PAN-OS.
Organizations that have not configured the GlobalProtect portal or gateway on their firewalls are not affected by this vulnerability. However, it is a good practice to upgrade the PAN-OS to the latest version. Along with that, always keep monitor logs and alerts for any suspected activities, block blocklisted IP addresses and domain names, and configure defense-in-depth such as a web application firewall, segmentation, and access controls.
We hope this post would help you in knowing How to Fix CVE-2021-3064- A Memory Corruption Vulnerability in Palo Alto Networks GlobalProtect portal. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
