ZeroDay Vulnerability in Palo Alto Networks Firewalls Allows RCE

A vulnerability has been identified in Palo Alto Networks firewalls using GlobalProtect VPN that could be exploited by an unauthorized attacker to execute arbitrary code on vulnerable devices with superuser privileges.

Issue (CVE-2021-3064) scored 9.8 on the CVSS scale and affects PAN-OS versions from 8.1. until 8.1.17.

“The chain of vulnerabilities consists of a method to bypass checks made by an external web server and a stack-based buffer overflow. The use of a chain of vulnerabilities has been proven and allows you to remotely execute code on both physical and virtual firewalls, ”explained the experts from the information security firm Randori, who discovered the vulnerability.

The vulnerability is related to a buffer overflow that occurs when parsing user input. To successfully exploit the vulnerability, an attacker must use a method called HTTP Request Smuggling and have network access to the device through port 443 of the GlobalProtect service.

Users are strongly encouraged to fix the vulnerability as soon as possible. As a mitigation measure, Palo Alto Networks recommends enabling threat signatures for IDs 91820 and 91855 in traffic destined for the GlobalProtect portal and gateway interfaces.

Technical details of CVE-2021-3064 will not be released for 30 days to prevent attackers from using the vulnerability to carry out attacks.

HTTP Request Smuggling is based on differences in the processing of data from one or more HTTP devices (cache server, proxy server, firewall, etc.) located between the user and the web server. The HTTP Request Smuggling technique allows for various types of attacks - cache poisoning, session hijacking, cross-site scripting, and also provides the ability to bypass firewall protection.