Last Updated on 22/11/2021 by Nidhi Khandelwal
Palo Alto Networks GlobalProtect VPN has a new zero-day vulnerability that could be exploited by an unauthenticated network-based attacker to execute arbitrary code with root user rights on affected devices.
The security flaw is identified as CVE-2021-3064 and affects PAN-OS 8.1 versions prior to PAN-OS 8.1.17. Randori, a cybersecurity business based in Massachusetts, is credited with detecting and reporting the problem.
However, in an alarming turn of events, the company said it employed this exploit for approximately ten months as part of its red team engagements before exposing it to Palo Alto Networks in late September 2021. Technical information of CVE-2021-3064 has been kept under wraps for the next 30 days to prevent threat actors from exploiting the flaw in real-world assaults.
A buffer overflow occurs when parsing user-supplied input, resulting in the security flaw. To successfully exploit the weakness, the attacker must combine it with a technique known as HTTP smuggling in order to gain remote code execution on the VPN installations, as well as have network access to the device via the GlobalProtect service default port 443.
Because VPN devices are a valuable target for criminal actors, it’s critical that users patch the vulnerability as soon as possible. Palo Alto Networks is encouraging impacted businesses to enable threat signatures for identifiers 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces as a solution to prevent any potential CVE-2021-3064 attacks.