Security researchers at cybersecurity company Randori discovered a zero-day flaw in GlobalProtect VPN. There are around 10,000 servers running this product already. The flaw allows the attackers to execute remote code on the vulnerable product installations.
Affecting multiple versions
The flaw is tracked as CVE-2021-3064, affecting PAN firewalls using the GlobalProtect Portal VPN. The flaw is a buffer overflow, which occurs while parsing user input into a fixed length and affects multiple versions of PAN-OS 8.1 before 8.1.17. For exploiting the vulnerability, the attacker must have network access to the device on the GlobalProtect service port – the default port is 443 – that is often accessible over the internet.
Randori researchers said, « Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally. Randori researchers have not exploited the buffer overflow to result in controlled code execution on certain hardware device versions with MIPS-based management plane CPUs due to their big-endian architecture, though the overflow is reachable on these devices and can be exploited to limit the availability of services. »
If you are using Palo Alto Networks security appliance and GlobalProtect Portal VPN is running on your systems, we highly recommend you to update it to the latest, fixed & stable version.