can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW

Showing results for 
Show  only  | Search instead for 
Did you mean: 

can we mitigate CVE-2021-3031 PAN-OS by restricting dataplane interfaces of NGFW

L3 Networker

CVE-2021-3031 PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)

Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets.

This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001.


Workarounds and Mitigations

There is no workaround to prevent the information leak in the Ethernet packets; however, restricting access to the networks mitigates the risk of this issue.


This issue fixed in latest software versions , but we need some workaround.


Can we restrict data plane interface access of NGFW as workaround for this security advisory.


Cyber Elite
Cyber Elite

the vulnerability only applies to locally conneced hosts (same ethernet subnet), so a workaround would be to remove local subnet connectivity (adding routers)


upgrading up to the recommended level would probably be a better solution



Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!