CVE-2021-3064: 
PAN-OS vulnerability analysis and mitigation

A critical memory corruption vulnerability (CVE-2021-3064) was discovered in Palo Alto Networks GlobalProtect portal and gateway interfaces. The vulnerability, disclosed on November 10, 2021, affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.17, with a CVSS v3.1 base score of 9.8. This vulnerability enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges, provided they have network access to the GlobalProtect interface (Palo Advisory, NIST NVD).

CVE-2021-3064 is a buffer overflow vulnerability that occurs while parsing user-supplied input into a fixed-length location on the stack. The exploitation requires utilizing an HTTP smuggling technique to reach the problematic code externally. On devices with ASLR enabled, exploitation is difficult but possible, while on virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write) (Help Net Security).

The successful exploitation of this vulnerability could allow attackers to execute arbitrary code with root user privileges, potentially leading to complete system compromise. The vulnerability affects PAN-OS firewall configurations with GlobalProtect portal or gateway enabled, with over 10,000 internet-facing installations reported as vulnerable at the time of disclosure (Help Net Security).

Palo Alto Networks has released patches to address this vulnerability in PAN-OS 8.1.17 and all later versions. For organizations unable to update immediately, recommended mitigations include enabling signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces, or disabling the GlobalProtect portal or gateway if VPN capability is not required. SSL decryption is not necessary to detect and block attacks against this issue (Palo Advisory, CISA Alert).

The vulnerability was discovered by the Randori Attack Team, who responsibly disclosed it and refrained from publishing technical details for a month after disclosure to give organizations time to patch. CISA issued an alert encouraging users and administrators to review the Palo Alto Security Advisory and apply necessary updates or workarounds (Help Net Security, CISA Alert).