Palo Alto Networks’ Firewalls Are Vulnerable to CVE-2021-3064. Upgrade Now!

Palo Alto Networks (PAN) had more than 10,000 vulnerable firewalls with their products exposed due to a massive vulnerability in a security appliance.

A zero-day vulnerability has been discovered in Palo Alto Networks GlobalProtect VPN that unauthenticated attackers can exploit to execute arbitrary commands on affected devices with root privileges. Using the GlobalProtect portal, administrators can lock down network endpoints, secure information about gateways, and secure any certificates required to connect to them.

The critical security flaw was identified as CVE-2021-3064 with remote code execution on vulnerable product installations. Following the discovery of this vulnerability, Palo Alto Networks provided an update that addressed CVE-2021-3064.

Vulnerability Details

CVE-2021-3064

CVE-2021-3064, a buffer overflow, occurs while processing user-supplied input into a fixed-length stack region. Without using an HTTP smuggling technique (the method of tampering with a website’s processing of HTTP requests sent by one or more users), the problematic code is not accessible from the outside world. When the exploitation of buffer overflow and HTTP smuggling technique is combined simultaneously, remote code execution is possible with the privileges of the vulnerable component on the firewall device.

This zero-day vulnerability has a critical severity rating of 9.8 of 10 and is categorized under CWE-787 (Out-of-Bounds Write) and CWE-121 (Stack-Based Buffer Overflow). According to MITRE, CWE-787 ranks the highest among the Top 25 Most Dangerous Software Weaknesses of 2021, making patching a top priority.

Invasion Process

To exploit this vulnerability, an attacker needs network access to the GlobalProtect service port (default port 443). This port is frequently accessible via the internet since the impacted product is a VPN site. Exploitation is challenging but doable on systems with Address Space Layout Randomization (ASLR) enabled, which appears to be the situation in most hardware devices. The lack of ASLR on virtualized devices (VM-series firewalls) makes exploiting them considerably easier, and researchers expect publicly available exploits to surface.

Observations

• The vulnerability consists of a way for circumventing external web server validations (HTTP smuggling) and a stack-based buffer overflow.

• This vulnerability chain has been proven to allow remote code execution on physical and virtual firewall products.

• At present, there is no publicly known exploit code.

• The vulnerability affects all versions of PAN-OS 8.1 prior to 8.1.17.

• PAN has released a patch for this vulnerability.

• The PAN Threat Prevention Signatures 91820 and 91855, which block exploitation of the issue, are also available.

• It is used by several Fortune 500 and other global companies.

Popular scanners such as Nessus and Qualys identified the vulnerability and labeled it with the plugin ID below.

Global Exposure

According to the search results on Shodan, there are 5,887 assets potentially affected by this CVE-2021-3064. The following is the breakdown of PAN-OS version instances running on various ports exposed to attacks.

According to the last 30 days of Google search interest, this critical vulnerability is currently trending in countries such as Japan, Canada, Poland, the United Kingdom, and India.

Trending Regions

A Patch to Fix this Vulnerability!

On November 12, 2021, the Cyber Infrastructure Security Agency (CISA) issued a warning urging the users of the PAN GlobalProtect platform to apply immediate patches. Given the high probability of VPN devices being targeted by malicious attackers, it is highly recommended that users upgrade their GlobalProtect VPN devices as soon as possible. It is also recommended that affected organizations enable threat signatures for identifiers 91820 and 91855 on traffic destined for GlobalProtect portals and gateways, which will prevent any potential attacks using CVE-2021-3064.