skout-blog

Cybersecurity Threat Advisory 0075-21: Zero-Day Vulnerability Found in Palo Alto Security Appliances

Threat Update

Researchers have discovered a zero-day vulnerability that can allow an attacker to launch Remote Code Execution attacks on a security appliance made by Palo Alto Networks. This discovery leaves 10,000 firewalls potentially vulnerable.

Technical Detail & Additional Information

WHAT IS THE THREAT?

This vulnerability is currently being tracked as CVE-2021-3064 with a CVSS rating of 9.8. The vulnerability allows for unauthenticated Remote Code Execution on several versions of PAN-OS 8.1 to 8.1.17. The vulnerability chain contains a buffer overflow followed by a method for bypassing validations made by an external web server also known as “HTTP Smuggling”. The exploit has been proven to be effective on both physical and virtual firewall products.

WHY IS IT NOTEWORTHY?

The vulnerability affects multiple versions of PAN firewalls using the GlobalProtect Portal VPN from PAN-OS 8.1 to 8.1.17. With a CVSS score of 9.8, this zero-day vulnerability poses a massive security risk to businesses that rely on Palo Alto solutions for protection. This would allow attackers to gain a shell on the firewall and have visibility of the network to move laterally. VPN devices are a common target for attackers.

WHAT IS THE EXPOSURE OR RISK?

Palo Alto Networks has confirmed that the number of vulnerable instances is close to 10,000. The Randori Attack team has set aside 30 days before publishing the technical details, a grace period allowing customers to patch and upgrade.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP recommends to immediately patch and update any PAN GlobalProtect Firewalls to the latest patch that was released. The patch should be administered as soon as possible due to the 30-day grace period. Afterwards, technical details on the attack will be made public and available to attackers to take advantage of vulnerable instances.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.