PAN-OS Vulnerabilities

Palo Alto Networks has published 8 new Security Advisories on 10 November 2021 regarding to vulnerabilities on PAN-OS, one CVE below is highlighted and firewall administrator should take the necessary action as recommended on the Security Advisories as soon as possible.  Details please refer to https://security.paloaltonetworks.com/.

 

Vulnerabilities

  • PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates (CVE-2021-3059)
    • Description:
      An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges.
    • Required Configuration for Exposure:
      This issue is applicable only to PAN-OS firewall configurations that receive dynamic updates. You can verify that your firewall receives dynamic updates at ‘Device Deployment > Dynamic Updates’ in the web interface

 

Severity Level

  • High
  • CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Affected Systems

  • PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
  • PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
  • PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
  • PAN-OS 10.1 versions earlier than PAN-OS 10.1.3Apache HTTP Server version 2.4.49

 

Remediation

  • Upgrade your PAN-OS firewall to a fixed version asap.
  • This issue is fixed in:
    • PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions
    • Prisma Access 2.2 Preferred and all later Prisma Access versions.

 

Workarounds and Mitigations

  • Disable scheduled dynamic updates for the firewall at ‘Device Deployment > Dynamic Updates’ in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version.

 

 

Reference

 

Enquiry

  • ITSC Service Desk: http://servicedesk.itsc.cuhk.edu.hk
  • If you need assistant for the above, or would like to have a compromise assessment, please contact your firewall vendor for the details.

 

 

Published on: 12 Nov 2021