CVE-2021-3062: 
PAN-OS vulnerability analysis and mitigation

An improper access control vulnerability (CVE-2021-3062) was discovered in PAN-OS software, affecting VM-Series firewalls hosted on Amazon AWS. The vulnerability was disclosed on November 10, 2021, impacting multiple versions of PAN-OS including versions earlier than 8.1.20, 9.0.14, 9.1.11, and 10.0.8 VM-Series firewalls. Prisma Access customers were not affected by this vulnerability (Palo Alto Advisory).

The vulnerability allows an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-284 (Improper Access Control) (NVD).

Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS, potentially leading to unauthorized access and control of AWS resources. The vulnerability affects systems with GlobalProtect portal or gateway enabled, which can be verified through the Network > GlobalProtect > Portals and Network > GlobalProtect > Gateways configurations on the web interface (Palo Alto Advisory).

The vulnerability has been fixed in PAN-OS versions 8.1.20, 9.0.14, 9.1.11, 10.0.8, and all later PAN-OS versions. No workarounds were available for this issue, making it critical for affected organizations to upgrade to the patched versions (Palo Alto Advisory).