PAN Security Advisory (11-AUG-2021)

BPry — Wed, 11 Aug 2021 17:34:12 GMT

Thought I would just put this notice out since I know a lot of people don't actually subscribe to security advisories directly. If you haven't already, I highly recommend that you sign up for notifications via https://security.paloaltonetworks.com/ and the 'Subscribe' feature at the top right.

As a general statement, you should ensure that you are on a respective PAN-OS build that is free of any published vulnerabilities or have compensating controls in-place to protect your environment from vulnerabilities.

CVE-2021-3050: PAN-OS: Command Injection Vulnerability in Web Interface.

CVSS: 8.8

An authenticated administrator can execute arbitrary OS commands to escalate privileges.

Version	Unaffected
PAN-OS 10.1	>= 10.1.2
PAN-OS 10.0	>= 10.0.8
PAN-OS 9.1	>= 9.1.11
PAN-OS 9.0	>= 9.0.15

CVE-2021-3046: PAN-OS: Improper SAML Authentication Vulnerability in GlobalProtect Portal

CVSS: 6.8

AN improper authentication vulnerability exists that enables a SAMB authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication.

Version	Unaffected Version
PAN-OS 10.1	10.1.* (not affected by Vuln)
PAN-OS 10.0	>= 10.0.5
PAN-OS 9.1	>= 9.1.9
PAN-OS 9.0	>= 9.0.14
PAN-OS 8.1	>= 8.1.19

CVE-2021-3048: PAN-OS: Invalid URLs in an EDL can lead to firewall outage

CVSS: 5.9

Certain invalid URL entries contained in an EDL cause the devsrvr to stop responding. This condition causes subsequent commits to fail and prevents administrators from performing commits and configuration changes, however the firewall remains otherwise functional. If the firewall restarts, it results in a DoS condition and the firewall stops processing traffic.

Version	Unaffected
PAN-OS 10.1	10.1.* (Not affected by vuln)
PAN-OS 10.0	>= 10.0.5
PAN-OS 9.1	>= 9.1.9
PAN-OS 9.0	>= 9.0.14
PAN-OS 8.1	8.1.* (Not affected by vuln)

CVE-2021-3045: PAN-OS: OS Command Argument Injection in Web Interface

CVSS: 4.9

An OS command injection vulnerability exists in the web interface that enables an authenticated administrator to read any arbitrary file from the file system.

Version	Unaffected
PAN-OS 10.1	10.1.* (Not affected by vuln)
PAN-OS 10.0	10.0.* (Not affected by vuln)
PAN-OS 9.1	>= 9.1.10
PAN-OS 9.0	>= 9.0.14
PAN-OS 8.1	>= 8.1.19

CVE-2021-3047: PAN-OS: Weak Cryptography used in web interface authentication

CVSS: 4.2

A cryptographically weak pseudo-random number generator is used during authentication to the web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authentication web interface administrator's session.

Version	Unaffected
PAN-OS 10.1	10.1.* (Not affected by vuln)
PAN-OS 10.0	>= 10.0.4
PAN-OS 9.1	>= 9.1.10
PAN-OS 9.0	>= 9.0.14
PAN-OS 8.1	>= 8.1.19

CVE-2021-26701: XSOAR: Impact of PowerShell Vulnerability CVE-2021-26701

CVSS: 0

XSOAR maintains docker images with PowerShell available for customers to use. The base image was updated on May 19,2021 with PowerShell version 7.1.3. PAN urges customers to upgrade their docker images to a version with the tag 7.1.3 or higher to protect against PowerShell vulnerability CVE-2021-26701.

Re: PAN Security Advisory (11-AUG-2021)

kiwi — Thu, 12 Aug 2021 09:34:27 GMT

Great info ! Thanks for the heads up @BPry !

Re: PAN Security Advisory (11-AUG-2021)

Pzilla — Thu, 12 Aug 2021 23:30:10 GMT

Hi, the versions with the fix for CVE-2021-3050 (9.0.15, 9.1.11, 10.0.8, 10.1.2) do not appear to be available yet, any idea if they will be released soon?

Re: PAN Security Advisory (11-AUG-2021)

BPry — Thu, 12 Aug 2021 23:59:11 GMT

@Pzilla,

I didn’t include it in my summary, but PAN actually includes guidance in the official advisory. They intend to have it available in September.

We intend to fix this issue in PAN-OS 9.0.15 (ETA November 2021), PAN-OS 9.1.11 (ETA September 2021), PAN-OS 10.0.8 (ETA September 2021), PAN-OS 10.1.2 (ETA September 2021) and all later PAN-OS versions.

topic PAN Security Advisory (11-AUG-2021) in General Topics

PAN Security Advisory (11-AUG-2021)

Re: PAN Security Advisory (11-AUG-2021)

Re: PAN Security Advisory (11-AUG-2021)

Re: PAN Security Advisory (11-AUG-2021)