A Zero-Day vulnerability has been identified by the Massachusetts-based cybersecurity firm Randori in Palo Alto Networks firewalls using GlobalProtect VPN.
This Zero-Day flaw could be exploited by an unauthorized attacker to execute arbitrary code remotely on vulnerable devices with superuser privileges. This Zero-Day bug was tracked as CVE-2021-3064 scored 9.8 on the CVSS and affects the PAN-OS 8.1 and earlier than PAN-OS 8.1.17.
While the security firm Randori has also found many vulnerable instances that are exposed on internet-facing assets, in plenty of 10,000 assets.
- For bypassing the validation process, this vulnerability chain has a specific method that is made by an external web server (HTTP smuggling) along with a stack-based buffer overflow.
- This vulnerability has affected the Palo Alto firewalls that are running the 8.1 series of PAN-OS along with GlobalProtect that has been allowed.
- The exploitation of the vulnerability series has been established and enables remote code execution on both physical and virtual firewall products.
- Exploits code that is available openly does not exist at this time.
- All the fixes are available from the vendor:-
- PAN Threat Prevention Signatures are also available (IDs 91820 and 91855) to prevent the exploitation of the issue.
- Public exploit code is likely to surface as:-
- VPN devices are engaging targets for ill-disposed actors, and
- The exploitation of PA-VM virtual devices is appropriate and is made more relaxed due to their shortage of Address Space Layout Randomization (ASLR).
Vulnerability Information & Exploitation
The CVE-2021-3064 is a barrier overflow that generally befalls while parsing user-supplied input within a fixed-length location on the pipe.
However, without using the HTTP smuggling method, it’s quite difficult to get the problematic code. And that’s why here the affected product is a VPN portal.
This port is generally accessible over the Internet, and exploitation is difficult, but at the same, it is possible on devices with ASLR enabled.
Confirmed Exploitable Systems
The Randori Attack team strongly exploited the following systems along with GlobalProtect allowed and accessible:-
- Palo Alto Networks PA-5220
- PAN-OS 8.1.16
- ASLR enabled firmware for this device
- Palo Alto Networks PA-VM
- PAN-OS 8.1.15
- ASLR disabled in firmware for this device
Here are the timelines that we have mentioned below:-
- 2020-10-26: Randori began initial research on GlobalProtect.
- 2020-11-19: Randori discovered the buffer overflow vulnerability.
- 2020-11-20: Randori discovered the HTTP smuggling capability.
- 2020-12-01: Randori began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.
- 2021-09-22: The buffer overflow vulnerability was disclosed by Randori to PAN.
- 2021-10-11: The HTTP smuggling capability was disclosed by Randori to PAN.
- 2021-11-10: PAN released patches and a security bulletin assigning the vulnerability CVE-2021-3064.
- 2021-11-10: This report was published.
All the affected organizations must apply the patches that have been implemented by PAN. Not only this but one should always go for the best methods that are supported for any Internet-facing assets, that include:-
- Checking logs and warnings for unusual activity.
- Confine originating IP addresses, if attainable.
- Implementing layered controls like a web application firewall, segmentation, and access controls.
Moreover, to successfully exploit the vulnerability, the threat actors must use a technique named HTTP Request Smuggling and have network access to the device by port 443 of the GlobalProtect service.