zero-day vulnerability PAN's GlobalProtect firewall Hive Pro Threat Advisory

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here.

Palo Alto Networks (PAN) released an update on November 10, 2021, that patched CVE-2021-3064, which was discovered and disclosed by Randori. This vulnerability affects PAN firewalls that use the GlobalProtect Portal VPN, and it allows for unauthenticated remote code execution on susceptible product installations. The vulnerability affects all versions of PAN-OS 8.1 prior to 8.1.17, and Randori has discovered over 10,000 vulnerable instances on internet-facing assets.

The CVE-2021-3064 vulnerability is a buffer overflow that occurs while parsing user-supplied information into a fixed-length position on the stack. Without using an HTTP smuggling approach, the troublesome code is not accessible from the outside world. An unauthenticated network-based attacker can disrupt system operations and potentially execute arbitrary code with root privileges by exploiting a memory corruption vulnerability in Palo Alto Networks GlobalProtect portal and gateway interfaces. To exploit this vulnerability, the attacker must have network access to the GlobalProtect interface.

An attacker must have network access to the device on the GlobalProtect service port(default port 443) in order to exploit this issue. This port is frequently accessible over the Internet since the impacted product is a VPN portal. Exploitation is challenging but not impossible on devices that have ASLR enabled. Due to the lack of ASLR on virtualized devices, exploitation is considerably easier.

Organizations can mitigate this vulnerability as follows:
1. A patch issued by the PAN should be used.(Link below)
2. PAN has also made Threat Prevention signatures 91820 and 91855 accessible for use by organizations to avoid exploitation until a software upgrade is scheduled.
3. Organizations that do not use the PAN firewall’s VPN features should immediately disable GlobalProtect.