Palo Alto Networks Security Advisories / CVE-2021-3063

CVE-2021-3063 PAN-OS: Denial-of-Service (DoS) Vulnerability in GlobalProtect Portal and Gateway Interfaces

047910
Severity 7.5 · HIGH
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact NONE
User Interaction NONE
Availability Impact HIGH

Description

An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.21;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h4;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h3;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.8-h4;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.3.

Prisma Access customers are not impacted by this issue.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1< 10.1.3>= 10.1.3
PAN-OS 10.0< 10.0.8-h4>= 10.0.8-h4
PAN-OS 9.1< 9.1.11-h3>= 9.1.11-h3
PAN-OS 9.0< 9.0.14-h4>= 9.0.14-h4
PAN-OS 8.1< 8.1.21>= 8.1.21
Prisma Access 2.2Noneall
Prisma Access 2.1Noneall

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways' from the web interface.

Severity: HIGH

CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-755 Improper Handling of Exceptional Conditions

Solution

This issue is fixed in PAN-OS 8.1.21, PAN-OS 9.0.14-h4, PAN-OS 9.1.11-h3, PAN-OS 10.0.8-h4, PAN-OS 10.1.3, and all later PAN-OS versions.

Workarounds and Mitigations

Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect interfaces to block attacks against CVE-2021-3063.

It is not necessary to enable SSL decryption to detect and block attacks against this issue.

Acknowledgments

This issue was found by Nicholas Newsom of Palo Alto Networks during internal security review.

Timeline

Fixed the discovery status as this was internally found.
PAN-OS 10.0.8-h4 is now available
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.