Get in Touch
Remote Code Execution Zero-Day Reported in PAN-OS 8.1 VPN Portal
Researchers have published an advisory of a memory corruption vulnerability (CVE-2021-3064) in Palo Alto Networks GlobalProtect portal.
The bug has been fixed since PAN-OS version 8.1.17 but info about CVE-2021-3064 was not released until recently.
Shodan shows tens of thousands of devices currently vulnerable.
A remote, unauthenticated attacker would be able to execute code on a vulnerable device and from there, gain access to the rest of the network.
Check the running version of PAN-OS.
PAN-OS 8.1 versions earlier than 8.1.17
Containment, Mitigations & Remediations
PAN Threat Prevention Signatures (IDs 91820 and 91855) can be used to block the traffic.
Indicators of Compromise
VPNs are attractive targets for threat actors because they act as a front door to the rest of the network.
There are no reports of exploitation and no proof-of-concept code has been released yet, but the researchers note that this is likely to be released soon.
T1190 – Exploit Public-Facing Application
Zero-Day Disclosure: Palo Alto Networks GlobalProtect VPN CVE-2021-3064