PAN Security Advisory (11-AUG-2021)

cancel
Showing results for 
Search instead for 
Did you mean: 

PAN Security Advisory (11-AUG-2021)

Cyber Elite
Cyber Elite

Thought I would just put this notice out since I know a lot of people don't actually subscribe to security advisories directly. If you haven't already, I highly recommend that you sign up for notifications via https://security.paloaltonetworks.com/ and the 'Subscribe' feature at the top right.

As a general statement, you should ensure that you are on a respective PAN-OS build that is free of any published vulnerabilities or have compensating controls in-place to protect your environment from vulnerabilities. 

 

CVE-2021-3050: PAN-OS: Command Injection Vulnerability in Web Interface.

CVSS: 8.8

An authenticated administrator can execute arbitrary OS commands to escalate privileges. 

VersionUnaffected
PAN-OS 10.1>= 10.1.2
PAN-OS 10.0>= 10.0.8
PAN-OS 9.1>= 9.1.11
PAN-OS 9.0>= 9.0.15

 

CVE-2021-3046: PAN-OS: Improper SAML Authentication Vulnerability in GlobalProtect Portal

CVSS: 6.8

AN improper authentication vulnerability exists that enables a SAMB authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication.

VersionUnaffected Version
PAN-OS 10.110.1.* (not affected by Vuln)
PAN-OS 10.0>= 10.0.5
PAN-OS 9.1>= 9.1.9
PAN-OS 9.0>= 9.0.14
PAN-OS 8.1>= 8.1.19

 

CVE-2021-3048: PAN-OS: Invalid URLs in an EDL can lead to firewall outage

CVSS: 5.9

Certain invalid URL entries contained in an EDL cause the devsrvr to stop responding. This condition causes subsequent commits to fail and prevents administrators from performing commits and configuration changes, however the firewall remains otherwise functional. If the firewall restarts, it results in a DoS condition and the firewall stops processing traffic.

VersionUnaffected
PAN-OS 10.110.1.* (Not affected by vuln)
PAN-OS 10.0>= 10.0.5
PAN-OS 9.1>= 9.1.9
PAN-OS 9.0>= 9.0.14
PAN-OS 8.18.1.* (Not affected by vuln)

 

CVE-2021-3045: PAN-OS: OS Command Argument Injection in Web Interface

CVSS: 4.9

An OS command injection vulnerability exists in the web interface that enables an authenticated administrator to read any arbitrary file from the file system.

VersionUnaffected
PAN-OS 10.110.1.* (Not affected by vuln)
PAN-OS 10.010.0.* (Not affected by vuln)
PAN-OS 9.1>= 9.1.10
PAN-OS 9.0>= 9.0.14
PAN-OS 8.1>= 8.1.19

 

CVE-2021-3047: PAN-OS: Weak Cryptography used in web interface authentication

CVSS: 4.2

A cryptographically weak pseudo-random number generator is used during authentication to the web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authentication web interface administrator's session.

 

VersionUnaffected
PAN-OS 10.110.1.* (Not affected by vuln)
PAN-OS 10.0>= 10.0.4
PAN-OS 9.1>= 9.1.10
PAN-OS 9.0>= 9.0.14
PAN-OS 8.1>= 8.1.19

 

CVE-2021-26701: XSOAR: Impact of PowerShell Vulnerability CVE-2021-26701

CVSS: 0

XSOAR maintains docker images with PowerShell available for customers to use. The base image was updated on May 19,2021 with PowerShell version 7.1.3. PAN urges customers to upgrade their docker images to a version with the tag 7.1.3 or higher to protect against PowerShell vulnerability CVE-2021-26701.

3 REPLIES 3

Community Team Member

Great info ! Thanks for the heads up @BPry !

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

L1 Bithead

Hi, the versions with the fix for CVE-2021-3050 (9.0.15, 9.1.11, 10.0.8, 10.1.2) do not appear to be available yet, any idea if they will be released soon?

@Pzilla,

I didn’t include it in my summary, but PAN actually includes guidance in the official advisory. They intend to have it available in September. 

We intend to fix this issue in PAN-OS 9.0.15 (ETA November 2021), PAN-OS 9.1.11 (ETA September 2021), PAN-OS 10.0.8 (ETA September 2021), PAN-OS 10.1.2 (ETA September 2021) and all later PAN-OS versions.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!