CVE-2021-3053: 
PAN-OS vulnerability analysis and mitigation

An improper handling of exceptional conditions vulnerability exists in the Palo Alto Networks PAN-OS dataplane that enables an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that causes the service to crash. The vulnerability (CVE-2021-3053) was discovered internally and disclosed on September 8, 2021. It affects multiple versions of PAN-OS including versions earlier than PAN-OS 8.1.20, 9.0.14, 9.1.9, and 10.0.5. This issue does not affect Prisma Access (Palo Advisory).

The vulnerability is classified as an improper handling of exceptional conditions (CWE-755) with a CVSSv3.1 Base Score of 7.5 (HIGH). The attack vector is network-based, with low attack complexity and requires no privileges or user interaction. While the vulnerability has no impact on confidentiality and integrity, it has a high impact on availability. The issue is only applicable if GTP security is configured on the firewall (Palo Advisory, NVD).

When exploited, repeated attempts to send specifically crafted traffic through the firewall can result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This effectively disrupts all firewall services and network protection capabilities (Palo Advisory).

Palo Alto Networks has released fixes in PAN-OS versions 8.1.20, 9.0.14, 9.1.9, 10.0.5, and all later versions. As a workaround, administrators can enable signatures for Unique Threat ID 91593 on traffic processed by the firewall to block attacks against this vulnerability (Palo Advisory).