CVE-2021-3061: 
PAN-OS vulnerability analysis and mitigation

An OS command injection vulnerability was discovered in the Palo Alto Networks PAN-OS command line interface (CLI), identified as CVE-2021-3061. The vulnerability affects multiple versions of PAN-OS including versions 8.1, 9.0, 9.1, 10.0, and 10.1 prior to their respective security updates. This security issue was publicly disclosed on November 10, 2021, and affects PAN-OS systems while Prisma Access 2.1 customers are also impacted (Palo Advisory).

The vulnerability is classified as an OS Command Injection (CWE-78) with a CVSS v3.1 base score of 6.4 (Medium) according to Palo Alto Networks, and 7.2 (High) according to NVD. The attack requires high privileges and local access, with high complexity, but can potentially result in high impacts to confidentiality, integrity, and availability. The vulnerability specifically exists in the CLI interface, where authenticated administrators can execute arbitrary OS commands to escalate privileges (Palo Advisory, NVD).

If successfully exploited, this vulnerability allows an authenticated administrator with CLI access to execute arbitrary OS commands and escalate privileges on the affected system. This could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected PAN-OS system (Palo Advisory).

Palo Alto Networks has released fixes in PAN-OS versions 8.1.20-h1, 9.0.14-h3, 9.1.11-h2, 10.0.8, and 10.1.3. Organizations are advised to upgrade to these or later versions. As a mitigation measure, organizations should follow best practices for securing administrative access to PAN-OS software and limit CLI access to trusted administrators (Palo Advisory).