CVE-2021-3060: 
PAN-OS vulnerability analysis and mitigation

An OS command injection vulnerability (CVE-2021-3060) was discovered in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software. The vulnerability was disclosed on November 10, 2021, affecting multiple versions of PAN-OS including 8.1, 9.0, 9.1, 10.0, and 10.1, as well as Prisma Access 2.1 Preferred and Innovation firewalls (Palo Advisory).

The vulnerability allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-78 (OS Command Injection) (NVD).

If successfully exploited, the vulnerability allows attackers to execute arbitrary code with root user privileges, potentially leading to complete system compromise. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as HIGH impact (Palo Advisory).

Several mitigation options are available: 1) Upgrade to fixed versions (PAN-OS 8.1.20-h1, 9.0.14-h3, 9.1.11-h2, 10.0.8, 10.1.3, or later), 2) Change the master key for the firewall to prevent exploitation, 3) Remove all configured SCEP profiles from the firewall, and 4) Enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces. SSL decryption is not necessary to detect attacks against this issue (Palo Advisory).