December 1, 2023

Researchers have identified an exploit in PaloAlto devices which allows for unauthenticated RCE and affects about an estimated count of 70,000+ VPN/firewalls.

Tracked as CVE 2021-3064 and scoring a CVSS standing of 9.8 retired of 10 for vulnerability severity, is successful PAN’s GlobalProtect firewall. It allows for unauthenticated RCE connected aggregate versions of PAN-OS 8.1 anterior to 8.1.17.Once an attacker successfully exploits the weakness,they can extract configuration data, extract credentials and more.


Vulnerability Details

CVE-2021-3064 is simply a buffer overflow that occurs portion parsing user supplied input into a fixed length determination connected the stack. To get to the problematic code, attackers would use an HTTP smuggling technique,Otherwise, it’s not reachable externally.

HTTP smuggling is simply a method for interfering with the mode a web tract processes sequences of HTTP requests that are received from 1 oregon much users.

Exploitation of the buffer overflow done successful conjunction with HTTP smuggling and yields RCE nether the privileges of the affected constituent connected the firewall device. To exploit the bug, an attacker needs web entree to the instrumentality connected the Global Protect work larboard

On devices with ASLR enabled, exploitation is hard but possible. On virtualized devices , exploitation is importantly easier owed to deficiency of ASLR. When it comes to definite hard instrumentality versions with MIPS based absorption level CPUs, the overflow is reachable connected these devices exploited to bounds availability of services.

They referred to PAN’s virtualized firewalls, deployed successfully on computing environments and powered by VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft and Google arsenic perimeter gateways, IPSec VPN termination points and segmentation gateways. PAN describes the firewalls arsenic being designed to forestall threats from moving from workload to workload.


Mitigation ways

  • Enable signatures for Unique Threat IDs 91820 and 91855 connected postulation destined for GlobalProtect portal and gateway interfaces to artifact attacks against this vulnerability.
  • If Global Protect VPN information of the Palo Alto firewall is not in use, disable it.
  • For immoderate internet-facing application:
    • Disable oregon region immoderate unused features
    • Restrict root IPs allowed to link to services
    • Apply layered controls (WAF, firewall, segmentation)
    • Monitor logs and alerts from the device

Leave a Reply

%d bloggers like this: