Palo Alto Networks patches zero-day bug in its GlobalProtect Portal VPN

Palo Alto Networks patches zero-day bug in its GlobalProtect Portal VPN

Image:
Palo Alto Networks patches zero-day bug in its GlobalProtect Portal VPN

Nearly 10,000 internet-facing servers are estimated to be running on vulnerable software

Palo Alto Networks (PAN) has released patch for a zero-day day vulnerability that affects the company's firewalls using the GlobalProtect Portal VPN and could enable an unauthenticated network-based attacker to execute arbitrary code with root user privileges on vulnerable devices.

Listed as CVE-2021-3064, the security flaw has a severity rating of 9.8 out of 10 and impacts multiple versions of PAN-OS 8.1 earlier than PAN-OS 8.1.17. It was discovered by researchers at Massachusetts-based cyber security firm Randori who reported the issue to PAN in September 2021.

Randori said data provided by Shodan, the search engine that finds internet-connected devices, showed that nearly 10,000 internet-facing servers are running on vulnerable software.

According to the researchers, the security flaw stems from a buffer overflow that occurs while parsing user-supplied input in a fixed-length location on the stack.

To achieve remote code execution on the VPN installations, the attackers would have to string the bug with a technique known as HTTP smuggling - an exploit method that interferes with the way a website processes sequences of HTTP requests.

"The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow," the Randori researchers said.

"Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products."

Randori said its research team developed a reliable working exploit for the vulnerability, enabling them "to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more".

Once an attacker has control over the firewall, they can easily move laterally within the internal network, it warned.

Palo Alto this week released an update that patches CVE-2021-3064 on vulnerable devices.

"The issue is fixed in PAN-OS 8.1.17 and all later PAN-OS versions," the firm said in its security advisory.

Palo Alto has also made available Threat Prevention Signatures 91820 and 91855 that organisations can use to block exploitation of the flaw.

Over the past few years, cyber actors have actively exploited security weaknesses in various enterprise firewalls and VPNs from the likes of Microsoft, Citrix, and Fortinet.

In October 2020, the FBI and CISA published a joint alert to warn organisations of ongoing cyber attacks against a wide variety of US targets by a Russian state-sponsored hacking group.

The officials said that hackers were targeting publicly known security bugs, including CVE-2020-0688 (Microsoft Exchange email servers), CVE-2019-19781 (Citrix access gateways), CVE-2018-13379 (Fortinet SSL VPNs), CVE 2019-10149 (Exim mail agents) and CVE-2020-1472 (Windows Netlogon bug), in efforts to compromise network devices, expand their presence on the networks and steal sensitive data from victim machines.

Earlier in July 2020, Cisco patched 31 vulnerabilities, including RCE, static default credential and authentication bypass bugs, which could have enabled hackers to take full control of vulnerable routers and firewall devices.

Also in 2020, the username, passwords and lots of other sensitive information for more than 900 Pulse Secure VPN enterprise servers were published on a Russian-speaking hacker forum by some unidentified hacker.

Security researchers said that all those servers were running a firmware version vulnerable to the CVE-2019-11510 security flaw.