01-14-2021 10:52 PM
CVE-2021-3031 PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)
Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets.
This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001.
https://security.paloaltonetworks.com/CVE-2021-3031
Workarounds and Mitigations
There is no workaround to prevent the information leak in the Ethernet packets; however, restricting access to the networks mitigates the risk of this issue.
This issue fixed in latest software versions , but we need some workaround.
Can we restrict data plane interface access of NGFW as workaround for this security advisory.
01-15-2021 12:48 AM
the vulnerability only applies to locally conneced hosts (same ethernet subnet), so a workaround would be to remove local subnet connectivity (adding routers)
upgrading up to the recommended level would probably be a better solution
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
