Recently a group of researchers disclosed a vulnerability and with a severity rating of 9,8 out of 10, this after they give 1 year of grace before they will disclose such information.
Approximately 10,000 corporate servers using Palo Alto Networks GlobalProtect VPN have been shown to be vulnerable to a buffer overflow bug that was fixed only 12 months after discovery.
The vulnerability identified by CVE-2021-3064 A is 9,8 out of 10 and Occurs when user-supplied input is scanned to a fixed-length location on the stack.
A proof of concept of the exploit developed by researchers at Randori demonstrates the considerable damage that can result.
"This vulnerability affects our firewalls using GlobalProtect VPN and allows remote execution of unauthenticated code on vulnerable installations of the product. CVE-2021-3064 affects various versions of PAN-OS 8.1 prior to 8.1.17 and we found many vulnerable instances exposed on assets connected to the Internet, more than 10,000 assets, ”said Randori.
Independent investigator Kevin Beaumont said the Shodan investigation he conducted indicates that approximately half of all GlobalProtect instances seen by Shodan were vulnerable.
Overflow occurs when software parses user input at a fixed-length location on the stack.
I don't know you can access the buggy code externally without using what's known as HTTP smuggling, an exploit technique that interferes with the way a website processes HTTP request streams.
The vulnerabilities appear when the front-end and the back-end of a website interpret the limits of an HTTP request differently and the error desynchronizes them. The exploitation of these two elements allows remote code execution under the privileges of the affected component on the firewall device.
Below are the main findings of the discovery and research:
- The vulnerability chain consists of a method of circumventing external web server validations (HTTP smuggling) and stack-based buffer overflow.
- Affects Palo Alto firewalls using PAN-OS 8.1 series with GlobalProtect enabled (specifically versions <8.1.17).
- Exploiting the chain of vulnerabilities has been shown to allow remote code execution in physical and virtual firewall products.
Today there is no publicly available exploit code.
Patches are available from the vendor.
PAN Threat Prevention signatures are also available (ID 91820 and 91855) to block exploitation of this issue.
To exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (port 443 by default). Since the affected product is a VPN portal, this port is often accessible on the Internet. On devices with address space randomization (ASLR) 70 enabled (which appears to be the case for most devices), operation is difficult but possible.
On virtualized devices (VM series firewalls), the operation is significantly easier due to the lack of ASLR and Randori expects public exploits to emerge.
The Randori researchers did not exploit the buffer overflow to result in controlled code execution on certain versions of MIPS-based management plane CPU hardware devices due to their big endian architecture, although the overflow is accessible on these devices. and can be used to limit the availability of services.
Randori recommends affected organizations apply the fixes provided by PAN. Additionally, PAN has made available signatures that can be activated to thwart exploitation while organizations plan to update software.
For organizations that do not use the VPN feature as part of the firewall, we recommend disabling GlobalProtect.
Finally, if you are interested in knowing more about it, you can consult the details in the following link.