PAN-OS Vulnerabilities

Palo Alto Networks has published 8 new Security Advisories on 10 November 2021 regarding to vulnerabilities on PAN-OS, one CVE below is highlighted and firewall administrator should take the necessary action as recommended on the Security Advisories as soon as possible. Details please refer to https://security.paloaltonetworks.com/.

Vulnerabilities

PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates (CVE-2021-3059)
- Description:
  An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges.
- Required Configuration for Exposure:
  This issue is applicable only to PAN-OS firewall configurations that receive dynamic updates. You can verify that your firewall receives dynamic updates at ‘Device Deployment > Dynamic Updates’ in the web interface

Severity Level

High
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Systems

PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8;
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3Apache HTTP Server version 2.4.49

Remediation

Upgrade your PAN-OS firewall to a fixed version asap.
This issue is fixed in:
- PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions
- Prisma Access 2.2 Preferred and all later Prisma Access versions.

Workarounds and Mitigations

Disable scheduled dynamic updates for the firewall at ‘Device Deployment > Dynamic Updates’ in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version.

Reference

Palo Alto Networks Security Advisories:
https://securityadvisories.paloaltonetworks.com
PAN-OS upgrade best practices:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

Enquiry

ITSC Service Desk: http://servicedesk.itsc.cuhk.edu.hk
If you need assistant for the above, or would like to have a compromise assessment, please contact your firewall vendor for the details.

Published on: 12 Nov 2021

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.