• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-3064- A Memory Corruption Vulnerability In Palo Alto Networks GlobalProtect Portal?
How to Fix CVE-2021-3064

Security researchers from Randori have disclosed a new zero-day vulnerability in PAN firewalls using the GlobalProtect Portal VPN. The zero-day is being tracked as CVE-2021-3064 allows for unauthenticated remote code execution. We have created this post to let you know How to Fix CVE-2021-3064- A Memory Corruption Vulnerability in the Palo Alto Networks GlobalProtect portal.

Summary Of CVE-2021-3064:

The vulnerability CVE-2021-3064 is a memory corruption vulnerability found in Palo Alto Networks GlobalProtect portal and gateway interfaces. Attackers could perform unauthenticated network-based attacks like arbitrary code execution with root privileges and can disrupt system processes.

Attackers could achieve remote code execution by exploiting two things together: 1. buffer overflow that occurs while parsing user-supplied input on the stack. 2. HTTP smuggling technique which makes problematic code reachable externally. 

To perform remote code execution, the attacker must have network access to the GlobalProtect interface (default port 443). In most cases, the GlobalProtect interface is made accessible over the internet because it is a VPN portal. Another notable point is that this vulnerability is easy to exploit on Virtualized appliances due to the lack of ASLR. On the other hand, hardware appliance with ASLR enabled is difficult to exploit but possible.

CVSSv3.1 Base Score9.8
DescriptionA memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces
Attack VectorNetwork
Privileges RequiredNone
Attack ComplexityLow
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh

Products Vulnerable To CVE-2021-3064:

Multiple versions of PAN-OS 8.1 are affected. Most likely versions prior to 8.1.17. Palo also said that no Prisma Access users are impacted by this issue.

This vulnerability affects only PAN-OS on which GlobalProtect portal or gateway is enabled. You can verify if the GlobalProtect or gateway is enabled by checking for entries in ‘Network > GlobalProtect > Portals’ and in ‘Network > GlobalProtect > Gateways’ from the web interface.

VersionsAffectedUnaffected
Prisma Access 2.2Noneall
Prisma Access 2.1Noneall
PAN-OS 10.1None10.1.*
PAN-OS 10.0None10.0.*
PAN-OS 9.1None9.1.*
PAN-OS 9.0None9.0.*
PAN-OS 8.1< 8.1.17>= 8.1.17
The table published by security.paloaltonetworks.com

How To Fix CVE-2021-3064 This Memory Corruption Vulnerability?

Palo Alto confirms that the issue is fixed in version PAN-OS 8.1.17 and all later. Organizations who have enabled GlobalProtect portal or gateway on their firewalls are asked to immediately upgrade their PAN-OS to the latest version to fix the CVE-2021-3064 memory corruption vulnerability.

Additionally, for those organizations who can’t apply patches immediately, Palo has released Threat Prevention signatures 91820 & 91855 and asked to enable these signatures on traffic to block attacks against CVE-2021-3064 until you upgrade the PAN-OS. 

Organizations that have not configured the GlobalProtect portal or gateway on their firewalls are not affected by this vulnerability. However, it is a good practice to upgrade the PAN-OS to the latest version. Along with that, always keep monitor logs and alerts for any suspected activities, block blocklisted IP addresses and domain names, and configure defense-in-depth such as a web application firewall, segmentation, and access controls.

We hope this post will help you in knowing How to Fix CVE-2021-3064- A Memory Corruption Vulnerability in Palo Alto Networks GlobalProtect portal. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.