can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW

Deepak_K — Fri, 15 Jan 2021 06:52:01 GMT

CVE-2021-3031 PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)

Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets.

This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001.

https://security.paloaltonetworks.com/CVE-2021-3031

Workarounds and Mitigations

There is no workaround to prevent the information leak in the Ethernet packets; however, restricting access to the networks mitigates the risk of this issue.

This issue fixed in latest software versions , but we need some workaround.

Can we restrict data plane interface access of NGFW as workaround for this security advisory.

Re: can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW

reaper — Fri, 15 Jan 2021 08:48:40 GMT

the vulnerability only applies to locally conneced hosts (same ethernet subnet), so a workaround would be to remove local subnet connectivity (adding routers)

upgrading up to the recommended level would probably be a better solution

topic Re: can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW in General Topics

can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW

Re: can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW