CVE-2021-3036: 
PAN-OS vulnerability analysis and mitigation

An information exposure through log file vulnerability (CVE-2021-3036) was discovered in Palo Alto Networks PAN-OS software. The vulnerability affects PAN-OS appliances configured to use the PAN-OS XML API and occurs when a client includes duplicate API parameters in API requests. The issue was discovered by David Tien of Cyber Risk and disclosed on April 14, 2021 (Palo Advisory).

The vulnerability allows sensitive information to be logged in cleartext to the web server logs when the API is used incorrectly. The exposed information includes cleartext username, password, and API key of the administrator making the PAN-OS XML API request. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating local access required with high privileges needed but resulting in high confidentiality impact (Palo Advisory).

The vulnerability exposes administrator credentials and API keys in cleartext within log files, potentially allowing unauthorized access to administrative functions if the logs are compromised. This could lead to significant security breaches as administrator-level credentials could be extracted from the logs (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 8.1.19, 9.0.12, 9.1.6, 10.0.1, and all later versions. After upgrading the PAN-OS appliance, administrators must change passwords and generate new API keys for all impacted PAN-OS administrators. It is also recommended to confirm that there are no PAN-OS XML API requests that repeat API parameters in the request (Palo Advisory).