Headline
CVE-2021-3062: CVE-2021-3062 PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue.
Palo Alto Networks Security Advisories / CVE-2021-3062
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact NONE
NVD JSON
Published 2021-11-10
Updated 2021-11-17
Reference PAN-164422
Discovered externally
Description
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS.
Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls;
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls;
PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls;
PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls.
Prisma Access customers are not impacted by this issue.
Product Status
Versions
Affected
Unaffected
PAN-OS 10.1
None
10.1.* on VM-Series
PAN-OS 10.0
< 10.0.8 on VM-Series
>= 10.0.8 on VM-Series
PAN-OS 9.1
< 9.1.11 on VM-Series
>= 9.1.11 on VM-Series
PAN-OS 9.0
< 9.0.14 on VM-Series
>= 9.0.14 on VM-Series
PAN-OS 8.1
< 8.1.20 on VM-Series
>= 8.1.20 on VM-Series
Prisma Access 2.2
None
all
Prisma Access 2.1
None
all
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect portal or gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in ‘Network > GlobalProtect > Portals’ and in ‘Network > GlobalProtect > Gateways’ on the web interface.
Severity:HIGH
CVSSv3.1 Base Score:8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
Weakness Type
CWE-284 Improper Access Control
Solution
This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions
Workarounds and Mitigations
There are no known workarounds for this issue.
Acknowledgments
Palo Alto Networks thanks Matthew Flanagan of Computer Systems Australia (CSA) and Suresh Kumar Ponnusamy of Freshworks for discovering and reporting this issue.
Timeline
2021-11-17 Updated credit
2021-11-10 Initial publication