CVE-2021-3064: Easily exploitable RCE flaw in Palo Alto Networks in GlobalProtect VPN

Pierluigi Paganini November 11, 2021

Palo Alto Networks warns of an easy exploitable Remote Code Execution vulnerability in its GlobalProtect VPN product.

Palo Alto Networks disclosed a critical remote code execution vulnerability, tracked as CVE-2021-3064, in its GlobalProtect portal and gateway interfaces. The cybersecurity vendor warns that the vulnerability is easily exploitable by an unauthenticated network-based attacker. Successful exploitation can lead to the disruption of system processes and to the potential execution of arbitrary code with root privileges.

“A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.” reads the advisory published by Palo Alto Networks.

The vulnerability affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.17, it received a CVSS v3.1 base score of 9.8. The vulnerability was discovered by researchers from Randori.

Palo Alto Networks is not aware of any attack in the wild exploiting this vulnerability.

“CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. The problematic code is not reachable externally without utilizing an HTTP smuggling technique. Exploitation of these together yields remote code execution under the privileges of the affected component on the firewall device.” reads the advisory published by Randori. “The smuggling capability was not designated a CVE identifier as it is not considered a security boundary by the affected vendor.”

According to Randori Attack Team, an attacker must have network access to the device on the GlobalProtect service port (default port 443). Experts pointed out that this port is often accessible over the Internet. When ASLR is enabled the exploitation is more difficult, while on virtualized devices (VM-series firewalls) the attack is much easier due to lack of ASLR.

“Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.” Randori said.

Below is the timeline for this vulnerability:

  • 2020-10-26: Randori began initial research on GlobalProtect.
  • 2020-11-19: Randori discovered the buffer overflow vulnerability.
  • 2020-11-20: Randori discovered the HTTP smuggling capability.
  • 2020-12-01: Randori began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.
  • 2021-09-22: The buffer overflow vulnerability was disclosed by Randori to PAN.
  • 2021-10-11: The HTTP smuggling capability was disclosed by Randori to PAN.
  • 2021-11-10: PAN released patches and a security bulletin assigning the vulnerability CVE-2021-3064.
  • 2021-11-10: This report was published.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GlobalProtect VPN)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment