Home Cyber Crime Palo Alto GlobalProtect users urged to patch against critical vulnerability

Palo Alto GlobalProtect users urged to patch against critical vulnerability


John Leyden

11 November 2021 at 15:02 UTC

Up to date: 11 November 2021 at 15:03 UTC

Particulars withheld about harmful risk as orgs given one-month patching window

Palo Alto GlobalProtect users urged to patch against critical vulnerability

Safety researchers have found a high-impact vulnerability on some variations of the extensively used Palo Alto GlobalProtect Firewall/VPN that leaves enterprise networks open to assault.

The vulnerability (CVE 2021-3064; with a ‘important’ CVSS rating of 9.8) permits for unauthenticated remote code execution (RCE) on a number of variations of PAN-OS 8.1 prior to eight.1.17.

Programs working PAN-OS variations 9.0, 9.1. 10.0, and 10.1 are immune however that also leaves 1000’s of older, internet-exposed techniques open to assault.

Catch up with the latest network security news

The safety flaw was found by Randori, a purple team-focused safety consultancy, a yr in the past. Randori has since developed a working exploit that illustrates the scope for potential mischief.

“If an attacker efficiently exploits this vulnerability they acquire a shell on the affected goal, entry delicate configuration knowledge, extract credentials, and extra,” the researchers mentioned.

“As soon as an attacker has management over the firewall, they are going to have visibility into the inner community and may proceed to maneuver laterally.”


Randori reported the problem to Palo Alto, which launched patches earlier this week.

Palo Alto’s advisory on Wednesday (November 10) acknowledges that some variations its firewall merchandise are susceptible whereas stating that’s there no proof of attacker exploitation. It reads:

A reminiscence corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that allows an unauthenticated network-based attacker to disrupt system processes and doubtlessly execute arbitrary code with root privileges. The attacker will need to have community entry to the GlobalProtect interface to use this difficulty.

Palo Alto confirms that the flaw presents an unauthenticated RCE danger. “This difficulty allows an unauthenticated network-based attacker with entry to a GlobalProtect interface to execute arbitrary code with root consumer privileges,” it warns.

One-month patch window

PAN-OS 8.1.17 and all later PAN-OS variations resolve the danger. Solely PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled are in danger, offering they’re nonetheless on the older however nonetheless extensively used PAN-OS 8.1 department.

The exploit developed by Randori includes chaining collectively a technique for bypassing validations made by an exterior net server (HTTP smuggling) and a stack-based buffer overflow (a reminiscence corruption difficulty).

Each bodily and digital firewall merchandise working the affected software program are susceptible.

“Publicly accessible exploit code doesn’t exist at the moment,” Randori mentioned.

RELATED Palo Alto firewall software vulnerability quartet revealed

Extra technical particulars on the vulnerability will solely be launched on December 10, giving enterprises round a month to hold out safety triage and apply mitigations or patch techniques.

For organizations not utilizing the VPN functionality as a part of the firewall, Randori recommends that GlobalProtect must be disabled.

In different circumstances, net utility firewall, segmentation, and access controls provide the potential to restrict danger in need of patching, which stays the most effective methodology for shielding susceptible techniques.

In a press release to the press, Randori estimated – based mostly on data from Shodan – that there are at present greater than 70,000 susceptible Palo Alto GlobalProtect Firewall/VPN situations uncovered on internet-facing property.

Nonetheless, in a technical blog post, Randori talks about greater than 10,000 uncovered techniques.

The Each day Swig has requested for clarification on this level, in addition to touch upon the kind of malfeasance created by the vulnerability. We’ll replace this story as and when extra data comes handy.

YOU MAY ALSO LIKE Researcher details easy-to-exploit bug that exposed GSuite accounts to full takeover

Source link