Palo Alto’s network GlobalProtect VPN has a new zero-day vulnerability reported by researchers. The vulnerability allows the hacker to use an unauthenticated network to execute arbitrary code on affected devices with root user privileges.
The vulnerability is identified as CVE-2021-3064 (CVSS score: 9.8), and the vulnerability embeds PAN-OS 8.1 versions that are before PAN-OS 8.1.17. Randori, Massachusetts based cybersecurity firm, was behind the discovery of this new vulnerability.
“The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow,” Randori researchers said. “Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products.”
The security can be traced to a buffer overflow that exists while parsing user-supplied input. For an attacker to carry out a successful attack, the attacker must string the bug with a method called HTTP smuggling for remotely executing the code on the VPN installations.
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enable an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges,” Palo Alto Networks said in an independent advisory. “The attacker must have network access to the GlobalProtect interface to exploit this issue.”
Since VPN devices have come on the radar of malicious actors, it’s strongly recommended that users quickly install the patch to the vulnerability. Palo Alto networks advise, “affected organizations to enable threat signatures for identifiers 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to prevent any potential attacks against CVE-2021-3064.”