08-11-2021 10:34 AM
Thought I would just put this notice out since I know a lot of people don't actually subscribe to security advisories directly. If you haven't already, I highly recommend that you sign up for notifications via https://security.paloaltonetworks.com/ and the 'Subscribe' feature at the top right.
As a general statement, you should ensure that you are on a respective PAN-OS build that is free of any published vulnerabilities or have compensating controls in-place to protect your environment from vulnerabilities.
CVE-2021-3050: PAN-OS: Command Injection Vulnerability in Web Interface.
CVSS: 8.8
An authenticated administrator can execute arbitrary OS commands to escalate privileges.
| Version | Unaffected |
| PAN-OS 10.1 | >= 10.1.2 |
| PAN-OS 10.0 | >= 10.0.8 |
| PAN-OS 9.1 | >= 9.1.11 |
| PAN-OS 9.0 | >= 9.0.15 |
CVE-2021-3046: PAN-OS: Improper SAML Authentication Vulnerability in GlobalProtect Portal
CVSS: 6.8
AN improper authentication vulnerability exists that enables a SAMB authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication.
| Version | Unaffected Version |
| PAN-OS 10.1 | 10.1.* (not affected by Vuln) |
| PAN-OS 10.0 | >= 10.0.5 |
| PAN-OS 9.1 | >= 9.1.9 |
| PAN-OS 9.0 | >= 9.0.14 |
| PAN-OS 8.1 | >= 8.1.19 |
CVE-2021-3048: PAN-OS: Invalid URLs in an EDL can lead to firewall outage
CVSS: 5.9
Certain invalid URL entries contained in an EDL cause the devsrvr to stop responding. This condition causes subsequent commits to fail and prevents administrators from performing commits and configuration changes, however the firewall remains otherwise functional. If the firewall restarts, it results in a DoS condition and the firewall stops processing traffic.
| Version | Unaffected |
| PAN-OS 10.1 | 10.1.* (Not affected by vuln) |
| PAN-OS 10.0 | >= 10.0.5 |
| PAN-OS 9.1 | >= 9.1.9 |
| PAN-OS 9.0 | >= 9.0.14 |
| PAN-OS 8.1 | 8.1.* (Not affected by vuln) |
CVE-2021-3045: PAN-OS: OS Command Argument Injection in Web Interface
CVSS: 4.9
An OS command injection vulnerability exists in the web interface that enables an authenticated administrator to read any arbitrary file from the file system.
| Version | Unaffected |
| PAN-OS 10.1 | 10.1.* (Not affected by vuln) |
| PAN-OS 10.0 | 10.0.* (Not affected by vuln) |
| PAN-OS 9.1 | >= 9.1.10 |
| PAN-OS 9.0 | >= 9.0.14 |
| PAN-OS 8.1 | >= 8.1.19 |
CVE-2021-3047: PAN-OS: Weak Cryptography used in web interface authentication
CVSS: 4.2
A cryptographically weak pseudo-random number generator is used during authentication to the web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authentication web interface administrator's session.
| Version | Unaffected |
| PAN-OS 10.1 | 10.1.* (Not affected by vuln) |
| PAN-OS 10.0 | >= 10.0.4 |
| PAN-OS 9.1 | >= 9.1.10 |
| PAN-OS 9.0 | >= 9.0.14 |
| PAN-OS 8.1 | >= 8.1.19 |
CVE-2021-26701: XSOAR: Impact of PowerShell Vulnerability CVE-2021-26701
CVSS: 0
XSOAR maintains docker images with PowerShell available for customers to use. The base image was updated on May 19,2021 with PowerShell version 7.1.3. PAN urges customers to upgrade their docker images to a version with the tag 7.1.3 or higher to protect against PowerShell vulnerability CVE-2021-26701.
