CVE-2021-3055: 
PAN-OS vulnerability analysis and mitigation

An XML External Entity (XXE) reference vulnerability was discovered in the Palo Alto Networks PAN-OS web interface, identified as CVE-2021-3055. The vulnerability affects multiple versions of PAN-OS including versions earlier than 8.1.20, 9.0.14, 9.1.10, and 10.0.6. This security flaw was discovered by Cristian Mocanu and Dan Marin of Deloitte and was publicly disclosed on September 8, 2021 (Palo Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium severity) and is identified as CWE-611 (Improper Restriction of XML External Entity Reference). The vulnerability requires authenticated administrator access to exploit. When exploited, it allows an authenticated administrator to read arbitrary files from the file system and send specially crafted requests that can cause service crashes (Palo Advisory, NVD).

The exploitation of this vulnerability can lead to unauthorized file system access and potential denial of service conditions. Specifically, repeated exploitation attempts can cause all PAN-OS services to restart and force the device into maintenance mode, effectively disrupting network security operations (Palo Advisory).

Palo Alto Networks has released fixes in PAN-OS versions 8.1.20, 9.0.14, 9.1.10, 10.0.6, and all later versions. As a workaround, administrators can enable signatures for Unique Threat ID 91588 on traffic destined for the web interface to block attacks. Additionally, following best practices for securing the PAN-OS web interface is recommended as a mitigation measure (Palo Advisory).