Palo Alto`s massive zero-day hole

Palo Alto`s massive zero-day hole CVE 2021-3064 scored a CVSS rating of 9.8 out of 10 for vulnerability severity. The PAN’s GlobalProtect firewall allows for unauthenticated RCE on multiple versions of PAN-OS 8.1 prior to 8.1.17, on both physical and virtual firewalls. It potentially leaves 10,000 vulnerable firewalls with their goods exposed to the internet. Randori researches concerning the vulnerability reported that if an attacker gains an access to the vulnerability it will allow them to gain a shell on the targeted system, access sensitive configuration data, extract credentials and even more.

Palo Alto`s massive zero-day hole

“As the threat from zero-days grows, more and more organizations are asking for realistic ways to prepare for and train against unknown threats, which translates to a need for ethical use of zero-days.”“When a defender is unable to patch a flaw, they must rely on other controls. Real exploits let them validate those controls, and not simply in a contrived manner,” researches said in their report.

Initially Randori had confidence that “more than 70,000 vulnerable instances were exposed on internet-facing assets.”They based the resulting facts on a Shodan search of internet-exposed devices. The Randori Attack Team first detected the vulnerability a year ago. They developed a working exploit and used it against Randori customers (with authorization) over the past year. Randori synchronized the disclosure with the PAN. And on Wednesday Palo Alto Networks released an advisory and an update to patch CVE-2021-3064.

CVE-2021-3064 creates overflow in a buffer

Research team also provided a short technical analysis of CVE-2021-3064. It is a buffer overflow that takes place while parsing user-supplied input into a fixed-length location on the stack. To get to the problematic code, attackers would have to use an HTTP smuggling technique, researchers gave an explanation of it. In other ways, it’s not reachable outwardly. HTTP request smuggling is a technique for intervening in the way a web site processes sequences of HTTP requests that are obtained from one or more users.

In addition Randori offered recommendations for Palo Alto customers on how to mitigate the threat:

Observe logs and alerts from the device;

  • Limit origin IPs allowed to connect to services;
  • If you don’t use the GlobalProtect VPN portion of the Palo Alto firewall, put out of action it;
  • Authorize signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to obstruct attacks against this vulnerability;
  • Put in layered controls (such as firewall, WAF, segmentation, access controls);
  • Put out of action any unused features.

    • In case you miss the news we will give a short abstract here. The Moses Staff attack group that has been terrorizing the Israeli organization from September 2021 published the 3D photos of Israeli area. The group politically motivates their actions and calls for potential partners.

    Photo of Andrew Nail

    Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.
    Leave a Reply

    Leave a Reply

    Back to top button