Details withheld about dangerous threat as orgs given one-month patching window
Security researchers have discovered a high-impact vulnerability on some versions of the widely used Palo Alto GlobalProtect Firewall/VPN that leaves enterprise networks open to attack.
The vulnerability (CVE 2021-3064; with a ‘critical’ CVSS score of 9.8) allows for unauthenticated remote code execution (RCE) on multiple versions of PAN-OS 8.1 prior to 8.1.17.
Systems running PAN-OS versions 9.0, 9.1. 10.0, and 10.1 are immune but that still leaves thousands of older, internet-exposed systems open to attack.
The security flaw was discovered by Randori, a red team-focused security consultancy, a year ago. Randori has since developed a working exploit that illustrates the scope for potential mischief.
“If an attacker successfully exploits this vulnerability they gain a shell on the affected target, access sensitive configuration data, extract credentials, and more,” the researchers said.
“Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.”
Randori reported the issue to Palo Alto, which released patches earlier this week.
Palo Alto’s advisory on Wednesday (November 10) acknowledges that some versions its firewall products are vulnerable while stating that’s there no evidence of attacker exploitation. It reads:
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.
Palo Alto confirms that the flaw presents an unauthenticated RCE risk. “This issue enables an unauthenticated network-based attacker with access to a GlobalProtect interface to execute arbitrary code with root user privileges,” it warns.
One-month patch window
PAN-OS 8.1.17 and all later PAN-OS versions resolve the risk. Only PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled are at risk, providing they are still on the older but still widely used PAN-OS 8.1 branch.
The exploit developed by Randori involves chaining together a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow (a memory corruption issue).
Both physical and virtual firewall products running the affected software are vulnerable.
“Publicly available exploit code does not exist at this time,” Randori said.
More technical details on the vulnerability will only be released on December 10, giving enterprises around a month to carry out security triage and apply mitigations or patch systems.
For organizations not using the VPN capability as part of the firewall, Randori recommends that GlobalProtect should be disabled.
In other cases, web application firewall, segmentation, and access controls offer the potential to limit risk short of patching, which remains the best method for protecting vulnerable systems.
In a statement to the press, Randori estimated – based on data from Shodan – that there are currently more than 70,000 vulnerable Palo Alto GlobalProtect Firewall/VPN instances exposed on internet-facing assets.
However, in a technical blog post, Randori talks about more than 10,000 exposed systems.
The Daily Swig has asked for clarification on this point, as well as comment on the type of malfeasance created by the vulnerability. We will update this story as and when more information comes to hand.