CVE-2021-3047: 
PAN-OS vulnerability analysis and mitigation

A cryptographically weak pseudo-random number generator (PRNG) vulnerability (CVE-2021-3047) was discovered in the Palo Alto Networks PAN-OS web interface authentication system. The vulnerability affects multiple versions of PAN-OS including versions earlier than 8.1.19, 9.0.14, 9.1.10, and 10.0.4, while PAN-OS 10.1 versions remain unaffected. This vulnerability was discovered by Gabor Acs-Kurucz and Oliver Kunz of Google and was disclosed on August 11, 2021 (Palo Alto Advisory).

The vulnerability is classified as CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) with a CVSS v3.1 Base Score of 4.2 (MEDIUM). The vulnerability requires high attack complexity (AC:H) and low privileges (PR:L) to exploit, with network attack vector (AV:N) and no user interaction (UI:N) needed. The scope is unchanged (S:U) with low impacts on both confidentiality (C:L) and integrity (I:L), and no impact on availability (A:N) (NVD, Palo Alto Advisory).

An authenticated attacker who can observe their own authentication secrets over an extended period on the PAN-OS appliance could potentially impersonate another authenticated web interface administrator's session. The vulnerability affects all web interface authentication methods (Palo Alto Advisory).

The vulnerability has been fixed in PAN-OS versions 8.1.19, 9.0.14, 9.1.10, 10.0.4, and all later versions. There are no known workarounds for this issue, making it essential to upgrade to a patched version (Palo Alto Advisory).