Researchers have created a functional attack to get remote code execution (RCE) via a huge hole in a Palo Alto Networks (PAN) security appliance, potentially exposing 10,000 susceptible firewalls to the internet.
The major zero-day, identified as CVE 2021-3064 and with a CVSS severity rating of 9.8 out of 10, is in PAN’s GlobalProtect firewall. It enables unauthenticated RCE on PAN-OS 8.1 versions previous to 8.1.17, on both virtual and physical firewalls.
According to Randori researchers, if a hacker successfully abuses the vulnerability, they can acquire a shell on the targeted machine, read sensitive configuration data, extract passwords, and more.
After that, they suggested, attackers can “dance” across a targeted organization: “Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.”
Randori first felt there were “more than 70,000 vulnerable instances exposed on internet-facing assets” based on a Shodan scan of internet-exposed devices.
The Randori Attack Team discovered the zero-day a year ago, created a functioning exploit, and utilized it against Randori clients (with permission) throughout the last year.
Don’t Worry, But Patch
Randori has worked with PAN to coordinate disclosure. PAN issued an alert as well as an update to fix CVE-2021-3064 on Wednesday.
Randori also plans to reveal further technicalities on Wednesday, “once the patch has had enough time to soak,” and will provide software updates on Twitter @RandoriAttack.
While Randori is deferring the release of more comprehensive technical information that it generally gives in its attack reports for 30 days — a grace period for clients to patch or upgrade – it did disclose some higher-level facts.
Details on Vulnerability Chain
According to Randori, the CVE-2021-3064 flaw is a buffer overflow that occurs while parsing user-supplied data into a fixed-length area on the stack. Researchers highlighted that in order to access the defective code, hackers would have had to use an HTTP smuggling method. Otherwise, it is inaccessible to the rest of the world.
HTTP request trafficking is a method of tampering with how a website handles sequences of HTTP requests sent by one or maybe more users.
According to Randori’s investigation, exploiting the buffer overflow in combination with HTTP smuggling results in RCE under the authorities of the concerned component on the firewall.
An attacker must have network access to the devices on the GlobalProtect service port in order to exploit the problem.
“As the affected product is a VPN portal, this port is often accessible over the Internet,” researchers demonstrated.
Virtual firewalls are especially susceptible because they lack ASLR (Address Space Layout Randomization), according to the researchers.
“On devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface.” Randori researchers claim that if it comes to specific hard device models with MIPS-based management plane CPUs, they have not exploited the buffer overflow to accomplish controlled code execution “due to their big-endian architecture.” They also noted that “the overflow is reachable on these devices and can be exploited to limit the availability of services.”
They made reference to PAN’s VM-Series of virtualization firewalls as IPSec VPN termination points, perimeter gateways, and segmentation gateways, which are deployed in private as well as public cloud computing environments as well as powered by Cisco, VMware, KVM, Citrix, Amazon Web Services, OpenStack, Google, and Microsoft. The firewalls, according to PAN, are meant to prevent attacks from migrating from task to workload.
Randori stated that the problem affects firewalls using the PAN-OS 8.1 series with GlobalProtect enabled (particularly, as previously stated, versions 8.1.17). The firm’s red-team researchers demonstrated vulnerability chain exploitation and RCE on both virtual and physical firewall solutions.
There is no public exploit code accessible – yet – and both PAN’s patch, as well as threat protection signatures, are accessible to avoid exploitation, according to Randori.
Using a Zero-Day Ethically
Randori mentioned that Wolpoff has posted on why zero-days are important for security, using the Palo Alto Networks zero-day as an instance.
“As the threat from zero-days grows, more and more organizations are asking for realistic ways to prepare for and train against unknown threats, which translates to a need for ethical use of zero-days,” the researchers mentioned in their reports. “When a defender is unable to patch a flaw, they must rely on other controls. Real exploits let them validate those controls, and not simply in a contrived manner. Real exploits let customers scrimmage against the same class of threats they are already facing.”