CVE-2021-3037: 
PAN-OS vulnerability analysis and mitigation

An information exposure vulnerability (CVE-2021-3037) was discovered in Palo Alto Networks PAN-OS software, where connection details for scheduled configuration exports are logged in system logs. The vulnerability affects multiple versions of PAN-OS including versions 8.1.x before 8.1.19, 9.0.x before 9.0.13, and 9.1.x before 9.1.4. This issue was discovered by a customer during a security review and was publicly disclosed on April 14, 2021 (Palo Advisory).

The vulnerability exposes sensitive information through log files, specifically logging cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server. The vulnerability has been assigned a CVSS v3.1 Base Score of 2.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. This indicates a local attack vector, low attack complexity, high privileges required, and low confidentiality impact (Palo Advisory).

The primary impact of this vulnerability is the exposure of sensitive connection details in system logs, including cleartext credentials and IP addresses used for configuration exports. This information could potentially be accessed by attackers with access to system logs, leading to unauthorized access to configuration backup destinations (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 8.1.19, 9.0.13, 9.1.4, and all later PAN-OS versions. After upgrading the PAN-OS appliance, administrators must change the connection details used in scheduled configuration exports and modify the credentials on the destination server that are used to export the configuration (Palo Advisory).