CVE-2021-3063: 
PAN-OS vulnerability analysis and mitigation

CVE-2021-3063 is a denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect portal and gateway interfaces, discovered internally by Nicholas Newsom of Palo Alto Networks. The vulnerability was disclosed on November 10, 2021, affecting multiple versions of PAN-OS including versions earlier than PAN-OS 8.1.21, 9.0.14-h4, 9.1.11-h3, 10.0.8-h4, and 10.1.3 (Palo Advisory).

The vulnerability stems from improper handling of exceptional conditions in the GlobalProtect portal and gateway interfaces. It allows an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact with no confidentiality or integrity impact (Palo Advisory).

When exploited, repeated attempts to send malicious requests can result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This vulnerability only affects PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled (Palo Advisory).

Palo Alto Networks has released fixes in PAN-OS versions 8.1.21, 9.0.14-h4, 9.1.11-h3, 10.0.8-h4, 10.1.3, and all later versions. As a workaround, administrators can enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect interfaces to block attacks. SSL decryption is not required to detect and block attacks against this vulnerability (Palo Advisory).