Randori recommends affected organizations apply the patches provided by PAN.
Randori researchers have not exploited the buffer overflow to result in controlled code execution on certain hardware device versions with MIPS-based management plane CPUs due to their big endian architecture, though the overflow is reachable on these devices and can be exploited to limit availability of services.
On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface. On devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. As the affected product is a VPN portal, this port is often accessible over the Internet. In order to exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (default port 443). The smuggling capability was not designated a CVE identifier as it is not considered a security boundary by the affected vendor. Exploitation of these together yields remote code execution under the privileges of the affected component on the firewall device. The problematic code is not reachable externally without utilizing an HTTP smuggling technique. ASLR disabled in firmware for this deviceĬVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack.ASLR enabled in firmware for this device.The Randori Attack team successfully exploited the following systems with GlobalProtect enabled and accessible: We will be releasing technical details on Decemand hosting a live webinar breaking down the technical details of the exploit on Decem.
Follow on Twitter for updates on future posts. More information will be released at that time. In an effort to avoid enabling misuse, technical details related to CVE-2021-3064 will be withheld from public dissemination for a period of 30 days from the date of this publication. Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally. Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. The Randori Attack Team developed a reliable working exploit and leveraged the capability as part of Randori’s continuous and automated red team platform. The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17 and Randori has found numerous vulnerable instances exposed on internet-facing assets, in excess of 10,000 assets. This vulnerability affects PAN firewalls using the GlobalProtect Portal VPN and allows for unauthenticated remote code execution on vulnerable installations of the product.
On NovemPalo Alto Networks (PAN) provided an update that patched CVE-2021-3064 which was discovered and disclosed by Randori.