Threat Advisory: Palo Alto Networks GlobalProtect VPN zero day patch available
Key Points
- Palo Alto Networks (PAN)has released a patch for a critical zero day vulnerability discovered byresearchers.
- The vulnerability affects PAN-OSfirewallversionsearlier than8.1.17 that havethe GlobalProtect portal or gateway enabled.
- Researchers who have developed aprivate proof-of-concept(PoC) will delay the public release by 30 days to avoid malicious misuseprior to organisations having the opportunity to patc.h There is currently no evidence of exploitationin-the-wild.
- CyberCX recommends patching affected assets immediately.
On November 10, 2021, PANreleased asecurity update that patched CVE-2021-2064.1 This critical (CVSS 9.8) vulnerability impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17 that have GlobalProtect portal or gateway enabled.2 It is estimated that there are over 70,000 interne-ftacing assets globally vulnerable to CVE-2021-3064.3
This memory corruption vulnerability affects PAN firewalls using the GlobalProtect Portal VPN and gateway interfaces. The vulnerability chain consists of a method for bypassing validations made by an external web server(HTTP smuggling) and a stack-based buffer overflow.A private PoC has been developed by security researchers who noted that exploitation of this HTTP smuggling capability could enable an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code and root privileges. Following a firewall compromise, an attacker would be able to move laterally within the network, access sensitive configuration data and more.4
The researchers will delay the public release of the PoC forCVE-2021-3064 for 30 days to prevent malicious exploitation of the zero day before organisations have had a chance to patch. The development and release of other PoCsby threat actors cannot be ruled out.
Recommendations
CyberCX urges customers to apply the security updates or available workarounds as soon as possible but no later than 10 December 2021, if they run an affected PAN-OS version and have the GlobalProtect portal or gateway enabled. PAN Threat Prevention Signatures are also available to block exploitation of the issue.
Although PAN is not aware of any malicious exploitation of this vulnerability in-the-wild, CyberCX assesses that there is a real chance of threat actors exploiting this issue once further technical details are released by security researchers on 10 December 2021. Unpatched VPN instances are commonly used as an initial attack vector by both cyber criminals and state-sponsored adversaries.
Additional Information
For additional information, including specifics about the response within your IT environment, please contact cyberintel@cybercx.com.au or your usual CyberCX contact.
If you are not a customer but would like help responding to the subject of this advisory, please contact cyberintel@cybercx.com.au.
CyberCX Reference No# |
Date of Advisory |
CCX-TA-2021-41 |
11 November 2021 |
Traffic Light Protocol
Classification |
Restrictions |
RED |
Highly Restricted Access to and use by recipients only |
AMBER (Sensitive) |
Restricted Internal Access and Use Only Recipients must only make ‘AMBER’ information available to within their organisation strictly for internal purposes, on a need-to-know basis, only to assist in the protection of ICT systems. |
GREEN (Confidential) |
Restricted to Closed Groups and Subject to Confidentiality Recipients must not publish or post on the World Wide Web or otherwise release it in circumstances where confidentiality may not be maintained. |
WHITE |
Not Restricted or Confidential For public, unrestricted dissemination, publication, web-posting or broadcast. Recipients may publish the information, subject to copyright and any restrictions or rights noted in the information. |
NOT CLASSIFIED |
Any advisory received from the CyberCX Cyber Intelligence team that is not classified in accordance with the TLP must be treated as ‘AMBER’ unless otherwise agreed in writing by the sender. |
Guide to CyberCX Cyber Intelligence reporting language
CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.
Probability estimates – reflect our estimate of the likelihood an event or development occurs |
||||||
Remote chance |
Highly unlikely |
Unlikely |
Real chance |
Likely |
Highly likely |
Almost certain |
Less than 5% |
5-20% |
20-40% |
40-55% |
55-80% |
80-95% |
95% or higher |
Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.
Confidence levels – reflect the validity and accuracy of our assessments |
||
Low confidence |
Moderate confidence |
High confidence |
Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. |
Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. |
Assessment based on high-quality information that our analysts can corroborate from multiple, different sources. |
1 https://nvd.nist.gov/vuln/detail/CVE-2021-42321; https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398
2 https://www.bleepingcomputer.com/news/security/exploit-released-for-microsoft-exchange-rce-bug-patch-now/
3 https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169
4 https://github.com/klinix5/InstallerFileTakeOver
5 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
6 https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/