Palo Alto Networks has published 8 new Security Advisories on 10 November 2021 regarding to vulnerabilities on PAN-OS, one CVE below is highlighted and firewall administrator should take the necessary action as recommended on the Security Advisories as soon as possible. Details please refer to https://security.paloaltonetworks.com/.
PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates (CVE-2021-3059)
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges.
Required Configuration for Exposure:
This issue is applicable only to PAN-OS firewall configurations that receive dynamic updates. You can verify that your firewall receives dynamic updates at ‘Device Deployment > Dynamic Updates’ in the web interface
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3Apache HTTP Server version 2.4.49
Upgrade your PAN-OS firewall to a fixed version asap.
This issue is fixed in:
PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions
Prisma Access 2.2 Preferred and all later Prisma Access versions.
Workarounds and Mitigations
Disable scheduled dynamic updates for the firewall at ‘Device Deployment > Dynamic Updates’ in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version.