Palo Alto Networks patches 9.8 severity CVE in popular GlobalProtect product

Arbitrary code execution by unauthenticated attacker? Big oops

Updated Palo Alto Networks (PAN) has issued a patch for a CVSS 9.8-rated buffer overflow affecting a VPN component of its widely used firewall software, warning that the flaw allows unauthenticated attackers to execute arbitrary code on unpatched appliances.

While the current version, 10.1, and three before it are not affected, the vuln, tracked as CVE-2021-3064, still exists in version 8.1.17 and all previous versions of PAN-OS, PAN's firewall operating system.

"A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges," said the company in an advisory published this week.

"The attacker must have network access to the GlobalProtect interface to exploit this issue."

The flaw was found by infosec outfit Randori, which warned that around 10,000 vulnerable firewalls were viewable across the wider internet earlier this week.

Such vulns are rapidly picked up on and exploited by ransomware gangs and nation states; Australia's Cyber Security Centre issued a warning today urging sysadmins to "apply the available update as soon as possible."

Randori summarised the vuln by saying: "The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow."

No exploit has yet been seen in the wild but exploitation is only a matter of time, judging by previous experience.

Furious Reg reader John complained: "Everybody using Palo Alto Networks' GlobalProtect, who is running only the second newest patch level on the 8.1 train which is still active in the lifecycle, is affected."

He added: "Memory corruption, really? There are enough code checking tools available which would help the developers to spot this before rolling the product…"

We have asked PAN for comment and will update this article if the firm responds. Earlier this year the company spent $156m buying an open source code-checking company: DevSecOps outfit Bridgecrew.

"Prisma Cloud customers will benefit from a single platform that will deliver cloud security from build time to runtime, seamlessly connecting security and DevOps teams," burbled PAN at the time.

Perhaps that Checkov tool ought to be directed inwards as well as outwards. ®

Updated at 1741 UTC on 11 November to add

Palo Alto Network sent us a statement following publication of this article:

The security advisory released addresses a vulnerability that may impact customers using old versions of PAN-OS (8.1.16 and earlier). We took immediate steps to implement mitigations. As outlined in the security advisory, we are not aware of any malicious attempts to exploit the vulnerability. We strongly encourage following best practices to keep systems updated and thank the researchers for alerting us and sharing their findings.

Broader topics

Other stories you might like

  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading
  • Canadian charged with running ransomware attack on US state of Alaska

    Cross-border op nabbed our man, boast cops and prosecutors

    A Canadian man is accused of masterminding ransomware attacks that caused "damage" to systems belonging to the US state of Alaska.

    A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday, and he was also concurrently charged by the Canadian authorities with a number of other criminal offences at the same time. US prosecutors [PDF] claimed he carried out "cyber related offences" – including a specific 2018 attack on a computer in Alaska.

    The Canadian Broadcasting Corporation reported that Philbert was charged after a 23 month investigation "that also involved the [Royal Canadian Mounted Police, federal enforcers], the FBI and Europol."

    Continue reading

Biting the hand that feeds IT © 1998–2021