Palo Alto Patches Zero-Day Vulnerability in Firewall Product

Fellow security researchers discovered a vulnerability in the PanOS firewalls produced by Palo Alto Networks. The research team that discovered the vulnerability works with security firm Randori.

The Randori team developed a methodology and an active exploit that allowed them to obtain remote code execution capabilities on Palo Alto firewall platform. The vulnerability has been codified and cataloged as CVE 2021-3064 and has received an extremely high severity rating of 9.8 out of a maximum 10 points.

Even though it was initially believed that the vulnerability allowed for remote code execution on multiple versions of Palo Alto's PanOS, later Palo Alto clarified that the vulnerability only affected PanOS 8.1 and more specifically, versions earlier than 8.1.17.

The approximate number of affected systems was also shrunk from an initial inaccurate estimate of 70,000 to just about 10,000 devices, after Palo Alto provided the additional information.

The vulnerability has now been patched by Palo Alto and the new update is expected to be fully rolled out and applied within the next 30 days. Following this period, Randori will provide fuller disclosure on the nature of the patched vulnerability.

So far researchers have revealed that the vulnerability allows shell-level code execution and abuses a buffer overflow state that takes place when the system is parsing user inputs into a specific portion of the memory stack. Before a potential threat actor would be able to exploit this, they would first need to use resort to HTTP smuggling. This is the only way to gain access to the exploitable buffer overflow vulnerability.

Randori will very likely release the full details and specific code used in constructing the exploit once users have had time to update their configurations.

November 11, 2021