Vulnerability CVE 2021-3050

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Vulnerability CVE 2021-3050

L3 Networker

Hey, guys, one of my clients want the POA (Plan of Action) for this vulnerability what should I check in the firewall. I checked the Traffic WAN TO WAN the security Profiles are attached properly but the management IP is pvt i access the firewall by the public. is there any Command through CLI I enable the threat ID given  in the as the resolved PANOS IS unstable right now what should we do Now

3 REPLIES 3

L4 Transporter

Hello @FarhanKoujalgi 

 

You can enable the threat ID by CLI given in https://security.paloaltonetworks.com/CVE-2021-3050
By default, Severity Threat-ID 91439 is high and action is blocked. 
You really don't have to take any action if you have the following:
(a) A vulnerability profile is attached to the traffic to your management IP (b) Your management IP traffic is passing through your firewall data-port (c) your vulnerability profile-> vulnerability rule -> high/critical severity is set to block or default. 

 

Please note the firewall does not run IPS on the traffic destined to the management *port*, the recommendation is either to force management traffic through the firewall,  or migrate the WebUI management of the device to a data port for in-band management using an interface management profile. Here is an article at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securi...

 

Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to create a  spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an Interzone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port. 

vWire can be another solution.

 

 

The fixed version of PAN-OS  10.1.2 and 9.1.11 is released.

 

 


Thanks

Himani

Himani Singh

How do I Enable the Unique threat ID Through CLI is there any command or knowledge base, please provide the docs.

L4 Transporter

Hello @FarhanKoujalgi 

 

If you want the CLI only, here are the steps assuming that you have a security rule, say rule-1, that is inspecting traffic to your web access to management, and that rule has vulnerability profile as default-base.

> configure

#set profiles vulnerability default-base threat-exception 91439 action reset-both

 

Best

Himani

Himani Singh
  • 2646 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!