{"id":7480,"date":"2021-12-17T19:10:21","date_gmt":"2021-12-18T02:10:21","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7480"},"modified":"2023-04-05T12:36:35","modified_gmt":"2023-04-05T19:36:35","slug":"palo-alto-networks-firewalls-are-vulnerable-to-cve-2021-3064-upgrade-now","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/palo-alto-networks-firewalls-are-vulnerable-to-cve-2021-3064-upgrade-now\/","title":{"rendered":"Palo Alto Networks\u2019 Firewalls Are Vulnerable to CVE-2021-3064. Upgrade Now!"},"content":{"rendered":"
\n

Palo Alto Networks (PAN) had more than 10,000 vulnerable firewalls with their products exposed due to a massive vulnerability in a security appliance.<\/p>\n<\/blockquote>\n

 <\/p>\n

A zero-day vulnerability has been discovered in Palo Alto Networks GlobalProtect VPN that unauthenticated attackers can exploit to execute arbitrary commands on affected devices with root privileges. Using the GlobalProtect portal, administrators can lock down network endpoints, secure information about gateways, and secure any certificates required to connect to them.<\/p>\n

 <\/p>\n

The critical security flaw was identified as CVE-2021-3064 with remote code execution on vulnerable product installations. Following the discovery of this vulnerability, Palo Alto Networks provided an update<\/a> that addressed CVE-2021-3064.<\/p>\n

 <\/p>\n

Vulnerability Details<\/h2>\n

CVE-2021-3064<\/strong><\/p>\n

 <\/p>\n

CVE-2021-3064, a buffer overflow, occurs while processing user-supplied input into a fixed-length stack region. Without using an HTTP smuggling technique (the method of tampering with a website’s processing of HTTP requests sent by one or more users), the problematic code is not accessible from the outside world. When the exploitation of buffer overflow and HTTP smuggling technique is combined simultaneously, remote code execution is possible with the privileges of the vulnerable component on the firewall device.<\/p>\n

 <\/p>\n

This zero-day vulnerability has a critical severity rating of 9.8 of 10 and is categorized under CWE-787 (Out-of-Bounds Write) and CWE-121 (Stack-Based Buffer Overflow). According to MITRE, CWE-787 ranks the highest among the Top 25 Most Dangerous Software Weaknesses of 2021<\/a>, making patching a top priority.<\/p>\n

 <\/p>\n

Invasion Process<\/h2>\n

 <\/p>\n

To exploit<\/a> this vulnerability, an attacker needs network access to the GlobalProtect service port (default port 443). This port is frequently accessible via the internet since the impacted product is a VPN site. Exploitation is challenging but doable on systems with Address Space Layout Randomization (ASLR) enabled, which appears to be the situation in most hardware devices. The lack of ASLR on virtualized devices (VM-series firewalls) makes exploiting them considerably easier, and researchers expect publicly available exploits to surface.<\/p>\n

 <\/p>\n

Observations<\/h2>\n

 <\/p>\n