IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Big zero-day flaw found in Palo Alto security appliance

Vulnerability in GlobalProtect VPN could enable hackers to take control of the security system

Palo Alto Networks sign at the Company headquarters in Silicon Valley

Security researchers have said that a zero-day flaw in a security appliance from Palo Alto Networks could affect around 10,000 servers running the product.

Researchers at cyber security firm Randori said that flaw, tracked as CVE-2021-3064, affected PAN firewalls using the GlobalProtect Portal VPN and allowed for unauthenticated remote code execution on vulnerable product installations.

They added that the problem affected multiple versions of PAN-OS 8.1 before 8.1.17. Researchers found numerous vulnerable instances exposed on internet-facing assets, more than 10,000 assets.  

“Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally,” said researchers.

Researchers developed a reliable working exploit and leveraged the capability as part of their red team products. The flaw was discovered over a year ago.

The bug is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. The problematic code is not reachable externally without using an HTTP-smuggling technique, according to researchers.

They added that the exploitation of these together yields remote code execution under the privileges of the affected component on the firewall device. “The smuggling capability was not designated a CVE identifier as it is not considered a security boundary by the affected vendor,” added researchers.

An attacker must have network access to the device on the GlobalProtect service port (default port 443) to exploit this vulnerability. As the affected product is a VPN portal, this port is often accessible over the internet, said researchers.

Exploitation is difficult but possible on devices with ASLR enabled, which is the case in most hardware devices. On virtualized devices — VM-series firewalls — exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface.

“Randori researchers have not exploited the buffer overflow to result in controlled code execution on certain hardware device versions with MIPS-based management plane CPUs due to their big-endian architecture, though the overflow is reachable on these devices and can be exploited to limit availability of services,” they added.

The company said to avoid enabling misuse of the flaw, it will withhold the technical details related to CVE-2021-3064 from public dissemination for 30 days after the publication of the blog post on the subject.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Getting board-level buy-in for security strategy
Whitepaper

Getting board-level buy-in for security strategy

30 Nov 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

28 Nov 2022
2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be
monitors

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Defra's legacy software problem 'threatens' UK gov cyber security until 2030
Business strategy

Defra's legacy software problem 'threatens' UK gov cyber security until 2030

6 Dec 2022