What is CVE-2021-3064 and how can it affect my firewall?

What is CVE-2021-3064 and how can it affect my firewall?

13598
Created On 11/16/21 20:21 PM - Last Modified 11/10/22 20:04 PM


Question


What is CVE-2021-3064 and how can it affect my firewall?

Environment


  • Palo Alto Firewall.
  • GlobalProtect configured
  • Threat Log
  • CVE-2021-3064

Answer


CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces, is a buffer overflow vulnerability in PAN-OS 8.1.16 and earlier.  If the exploit is successfully employed on a vulnerable firewall an attacker can gain a shell on the targeted firewall and potentially execute arbitrary code with root privileges.  This would allow an attacker to access sensitive configuration data, extract credentials, and much more.  Palo Alto Networks estimates that there are about 10,000 affected systems.

"Randori said that CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. To get to the problematic code, attackers would have to use an HTTP smuggling technique, researchers explained. Otherwise, it’s not reachable externally."  Threatpost

An attacker must have access to a device on GlobalProtect.  Being GlobalProtect is a VPN, then internet access is usually available.

If you received an email on November 17th, this means you were one of our customers with vulnerable PAN-OS versions. This information was pulled from a database maintained by IT that collects some minimum data like content version and PAN-OS versions each time the firewall checks for updates. We queried for devices that have a GP license, running PAN-OS < 8.1.17 and content version before the signatures. Then we looked up registration details to look up email contacts. If the firewall hasn’t checked for updates since they were upgraded then those were still flagged and an email was sent.

Q: Will MFA prevent the exploit described in CVE-2021-3064?
A: No

Remedy:
  1.  Upgrade to PAN-OS 9.1.x or higher.  Keep in mind that 9.0.x and 10.0.x
  2.  If an upgrade is not possible, Enabling Invalid HTTP Request Message Detection(91820 and 91855) will add a layer of protection.
  3.  If Global Protect is not being used then ensure it's disabled.

 

Additional Information


References:
https://security.paloaltonetworks.com/CVE-2021-3064
https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/
https://www.tenable.com/cve/CVE-2021-3064
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MLeCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language