CVE-2021-3063 : Security Advisory and Response
Learn about CVE-2021-3063, an improper handling of exceptional conditions vulnerability in Palo Alto Networks affecting PAN-OS versions. Find out the impact, affected systems, exploitation risks, and mitigation steps.
This article provides details about CVE-2021-3063, an improper handling of exceptional conditions vulnerability in Palo Alto Networks affecting PAN-OS versions.
Understanding CVE-2021-3063
CVE-2021-3063 is a high-severity vulnerability that impacts the GlobalProtect portal and gateway interfaces in PAN-OS, potentially leading to denial of service attacks.
What is CVE-2021-3063?
An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces. It enables an unauthenticated network-based attacker to disrupt services by sending specially crafted traffic, leading to a denial of service condition.
The Impact of CVE-2021-3063
The vulnerability affects specific versions of PAN-OS, causing the device to stop responding upon receiving malicious traffic. This can result in a denial of service for all PAN-OS services by restarting the device and putting it into maintenance mode. Prisma Access customers are not affected.
Technical Details of CVE-2021-3063
CVE-2021-3063 has been assigned a CVSS base score of 7.5, indicating a high severity level. The attack complexity is low, but the availability impact is high, making it crucial to address this vulnerability.
Vulnerability Description
The vulnerability arises due to improper handling of exceptional conditions in the GlobalProtect portal and gateway interfaces, allowing attackers to disrupt services by sending crafted traffic.
Affected Systems and Versions
PAN-OS versions impacted include 8.1.21 (and earlier), 9.0.14-h4 (and earlier), 9.1.11-h3 (and earlier), 10.0.8-h4 (and earlier), and 10.1.3 (and earlier). Prisma Access versions 2.1 and 2.2 are not affected.
Exploitation Mechanism
Palo Alto Networks has not detected any malicious exploitation attempts related to this vulnerability, but the potential for a denial of service attack exists.
Mitigation and Prevention
To address CVE-2021-3063, immediate and long-term mitigation strategies are recommended to safeguard PAN-OS configurations against possible attacks.
Immediate Steps to Take
Administrators are advised to apply the necessary security updates promptly to the affected PAN-OS versions to prevent exploitation of the vulnerability.
Long-Term Security Practices
Implement best security practices, conduct regular security audits, and stay informed about potential security threats to enhance the overall resilience of the PAN-OS environment.
Patching and Updates
The issue is fixed in PAN-OS 8.1.21, 9.0.14-h4, 9.1.11-h3, 10.0.8-h4, 10.1.3, and all subsequent versions of PAN-OS. Updating to the latest patched versions is crucial to mitigate the risk of a denial of service attack.