Huge Zero-Day Issue Found in Palo Alto Security Appliances!

Huge Zero-Day Issue Found in Palo Alto Security Appliances!

Huge Zero-Day Issue Found in Palo Alto Security Appliances!

Researchers have developed a working exploit to gain remote code execution (RCE) via a massive vulnerability (now patched), in a security appliance from Palo Alto Networks (PAN), potentially leaving more than 70,000 vulnerable firewalls with their goods exposed to the internet.

The critical zero day, tracked as CVE 2021-3064 & scoring a CVSS rating of 9.8 out of 10 for vulnerability severity, is in PAN’s Global Protect firewall. It allows for unauthenticated RCE on multiple versions of PAN-OS 8.1 prior to 8.1.17, on both physical & virtual firewalls.


UPDATE: The PAN updates cover versions 9.0 & 9.1, but based on Randori’s research, those versions aren’t vulnerable to this particular CVE. A spokesperson explained that any updates to non-8.1 versions are likely unrelated to CVE 2021-3064.

Randori researchers observed in a Wed. post that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials etc.

Control over the Firewall

Then, attackers can do anything across a targeted organisation, they said: “Once an attacker has control over the firewall, they will have visibility into the internal network & can proceed to move laterally.”

Going by a Shodan search of internet-exposed devices, Randori believes there are “more than 70,000 vulnerable instances exposed on internet-facing assets.”

The Randori Attack Team found the zero day a year ago, developed a working exploit & used it against Randori customers (with authorisation) over the past year. Below is the team’s video of the exploit:

Do Patch

Randori has co-ordinated disclosure with PAN. On Wed., PAN published an advisory & an update to patch CVE-2021-3064.

Randori’s also planning to release more technical details on Wed., “once the patch has had enough time to soak,” & will issue updates at @RandoriAttack on Twitter, according to its write-up.

While Randori is waiting 30 days before releasing yet more detailed technical information that it usually provides in its attack notes – a ‘grace period’ for customers to patch or upgrade – it did give some higher-level details.

Vulnerability Chain

Randori stated that CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. To get to the problematic code, attackers would have to use an HTTP smuggling technique, researchers explained. Otherwise, it’s not reachable externally.

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from 1 or more users.

Often Critical

These kinds of vulnerabilities are often critical, as they allow an attacker to bypass security controls, gain unauthorised access to sensitive data and directly compromise other application users.

A recent example was a bug that cropped up in Feb. in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side & networking applications that’s used in IBM Planning Analytics.

Buffer Overflow

Exploitation of the buffer overflow done in conjunction with HTTP smuggling together yields RCE under the privileges of the affected component on the firewall device, according to Randori’s analysis.

The HTTP smuggling wasn’t given a CVE identifier, as Palo Alto Networks doesn’t consider it a security boundary, they explained.

To exploit the bug, an attacker needs network access to the device on the Global Protect service port (default port 443).

VPN Portal

“As the affected product is a VPN portal, this port is often accessible over the Internet,” researchers pointed out.

Virtual firewalls are particularly vulnerable, given that they lack Address Space Layout Randomization (ASLR), the researchers commented.

“On devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. On virtualised devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR & Randori expects public exploits will surface.

Hard Device

”When it comes to certain hard device versions with MIPS-based management plane CPUs, Randori researchers haven’t exploited the buffer overflow to achieve controlled code execution, they , “due to their big endian architecture.” However, they noted that “the overflow is reachable on these devices & can be exploited to limit availability of services.”

They referred to PAN’s VM-Series of virtualised firewalls, deployed in public & private cloud computing environments & powered by VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft & Google as perimeter gateways, IPSec VPN termination points & segmentation gateways. PAN describes the firewalls as being designed to prevent threats from moving from workload to workload.

8.1 Series

Randori explained that the bug affects firewalls running the 8.1 series of PAN-OS with Global Protect enabled (specifically, as noted above, versions < 8.1.17).

The company’s red-team researchers have proved exploitation of the vulnerability chain & attained RCE on both physical & virtual firewall products.

There’s no public exploit code available – yet & there are both PAN’s patch & threat prevention signatures available to block exploitation, Randori stated.

Exploit Code

Randori noted that public exploit code will likely surface, given what tasty targets VPN devices are for malicious players.

Randori CTO David “moose” Wolpoff has written, explaining why he loves breaking into security appliances & VPNs: After all, they present one convenient lock for attackers to pick, and then presto, they can invade an enterprise.

Colonial Pipeline

The Colonial Pipeline ransomware attack is an example, Wolpoff recently wrote: As Colonial’s CEO told a Senate committee in June (PDF), attackers were able to compromise the company through a legacy VPN account.

“The account lacked multi-factor authentication (MFA) & wasn’t in active use within the business,” Wolpoff noted. It’s “a scenario unlikely to be unique to the fuel pipeline,” he added.

Palo Alto Customers Can Mitigate

Patching as soon as possible is of course the top recommendation, but Randori offered these mitigation options if that’s not doable:

  • Enable signatures for Unique Threat IDs 91820 & 91855 on traffic destined for Global Protect portal & gateway interfaces to block attacks against this vulnerability.
  • If you don’t use the Global Protect VPN portion of the Palo Alto firewall, disable it.
  • For any internet-facing application:
    • Disable or remove any unused features
    • Restrict origin IPs allowed to connect to services
    • Apply layered controls (such as WAF, firewall, access controls, segmentation)
    • Monitor logs and alerts from the device

Ethically Using a Zero Day

Randori pointed out that Wolpoff has blogged about why zero-days are essential to security, & the Palo Alto Networks zero day is a good example.

“As the threat from zero-days grows, more & more organisations are asking for realistic ways to prepare for & train against unknown threats, which translates to a need for ethical use of zero-days,” the researchers said in their writeup.

“When a defender is unable to patch a flaw, they must rely on other controls. Real exploits let them validate those controls, & not simply in a contrived manner. Real exploits let customers struggle against the same class of threats they are already facing.”