CVE-2021-3036 Explained : Impact and Mitigation

This article discusses CVE-2021-3036, a vulnerability in Palo Alto Networks PAN-OS software that exposes administrator secrets in web server logs when using the PAN-OS XML API incorrectly.

Understanding CVE-2021-3036

This section provides details on the vulnerability, its impact, technical aspects, and mitigation strategies.

What is CVE-2021-3036?

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software. The flaw exposes secrets in PAN-OS XML API requests that are logged in cleartext in web server logs, specifically when the API is incorrectly used.

The Impact of CVE-2021-3036

The vulnerability affects PAN-OS appliances configured to use the PAN-OS XML API. Cleartext usernames, passwords, and API keys of administrators making the API request are exposed when clients include duplicate API parameters.

Technical Details of CVE-2021-3036

Below are specifics related to the vulnerability.

Vulnerability Description

The vulnerability arises from secrets in PAN-OS XML API requests being logged in cleartext to web server logs, compromising sensitive information.

Affected Systems and Versions

Palo Alto Networks PAN-OS versions 8.1, 9.0, 9.1, and 10.0 are impacted. Versions less than 8.1.19, 9.0.12, 9.1.6, and 10.0.1 are susceptible.

Exploitation Mechanism

No instances of malicious exploitation have been attributed to this vulnerability by Palo Alto Networks.

Mitigation and Prevention

This section outlines steps to mitigate the risks associated with CVE-2021-3036.

Immediate Steps to Take

Upgrade PAN-OS 8.1.19, 9.0.12, 9.1.6, 10.0.1, or later versions.
Change passwords and generate new API keys for all affected administrators.

Long-Term Security Practices

Regularly update PAN-OS software to the latest version.
Implement secure API usage practices to avoid inadvertent exposure.

Patching and Updates

Ensure all PAN-OS appliances are up to date to mitigate the vulnerability effectively.