CVE-2021-3062 : Vulnerability Insights and Analysis

An in-depth look into CVE-2021-3062, an improper access control vulnerability in PAN-OS software that allows attackers to access the EC2 instance metadata endpoint for VM-Series firewalls on Amazon AWS when authenticated through GlobalProtect.

Understanding CVE-2021-3062

This section explores the impact, technical details, and mitigation strategies related to CVE-2021-3062.

What is CVE-2021-3062?

CVE-2021-3062 is an improper access control vulnerability within PAN-OS software that grants unauthorized access to the EC2 instance metadata endpoint for VM-Series firewalls.

The Impact of CVE-2021-3062

Exploitation of this vulnerability allows attackers authenticated via GlobalProtect to perform operations permitted by the EC2 role in AWS.

Technical Details of CVE-2021-3062

A detailed analysis of the vulnerability, affected systems, and the exploitation mechanism.

Vulnerability Description

The vulnerability affects PAN-OS versions prior to 8.1.20, 9.0.14, 9.1.11, and 10.0.8 on VM-Series firewalls, but does not impact Prisma Access customers.

Affected Systems and Versions

PAN-OS 8.1 versions < 8.1.20, PAN-OS 9.0 versions < 9.0.14, PAN-OS 9.1 versions < 9.1.11, PAN-OS 10.0 versions < 10.0.8 on VM-Series firewalls.

Exploitation Mechanism

Attackers with authenticated access to GlobalProtect portals or gateways can abuse the vulnerability to connect to the EC2 instance metadata endpoint.

Mitigation and Prevention

Guidance on mitigating the risks of CVE-2021-3062 and preventing potential exploitation.

Immediate Steps to Take

Upgrade to PAN-OS versions 8.1.20, 9.0.14, 9.1.11, 10.0.8, or later releases to address the vulnerability.

Long-Term Security Practices

Regularly monitor for security updates from Palo Alto Networks and adhere to best practices for firewall configurations.

Patching and Updates

Ensure all affected PAN-OS versions are promptly updated to the recommended releases to eliminate the vulnerability.