CVE-2021-3058: 
PAN-OS vulnerability analysis and mitigation

An OS command injection vulnerability (CVE-2021-3058) was discovered in the Palo Alto Networks PAN-OS web interface. The vulnerability affects multiple versions of PAN-OS including versions earlier than 8.1.20-h1, 9.0.14-h3, 9.1.11-h2, 10.0.8, and 10.1.3. This vulnerability does not impact Prisma Access firewalls. The issue was disclosed on November 10, 2021 (Palo Alto Advisory).

The vulnerability is classified as an OS command injection (CWE-78) that allows an authenticated administrator with XML API permissions to execute arbitrary OS commands and escalate privileges. The vulnerability has received a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is only applicable to PAN-OS firewalls configured to use the XML API (Palo Alto Advisory).

If exploited, this vulnerability allows an authenticated attacker with XML API permissions to execute arbitrary operating system commands on the affected system, potentially leading to privilege escalation and complete system compromise. The vulnerability affects confidentiality, integrity, and availability of the system with high severity ratings for all three aspects (Palo Alto Advisory).

Palo Alto Networks has released fixes in PAN-OS versions 8.1.20-h1, 9.0.14-h3, 9.1.11-h2, 10.0.8, 10.1.3, and all later versions. As a workaround, administrators can enable signatures for Unique Threat ID 91715 on traffic processed by the firewall to block attacks. Additionally, following best practices for securing the PAN-OS web interface is recommended (Palo Alto Advisory).