Researchers on Wednesday discovered a zero-day buffer overflow vulnerability that causes an unauthenticated remote code execution on Palo Alto Networks (PAN) firewalls using the vendor’s GlobalProtect Portal VPN.
Security researchers said this research points to the need for the industry to move off of the dependency on firewalls and VPNs and more towards a holistic zero-trust approach.
“VPNs are every bit as full-featured as any other computer on your network, but they have little or no monitoring, security, or redundancies installed,” said David “Moose” Wolpoff, co-founder and CTO at Randori, the company that conducted the research. “Yet, it has privileges, stores credentials and can transit the security boundary. Once an attacker owns this device, they can see everything flowing through this information gateway.”
In a blog post, the Randori Attack Team said the zero-day (CVE-2021-3064) affects multiple versions of PAN-OS 8.1 prior to 8.1.17. The Randori researchers said they found numerous vulnerable instances exposed in excess of 10,000 internet-facing assets. The vulnerability had a severity rating of 9.8, marking it as critical.
The research began in October 2020 and the vulnerability was finally disclosed by Randori to PAN in September of this year. Finally, PAN released a patch and the issue was made public yesterday. Subscribers can obtain a patch on the Palo Alto support site.
It’s good to see Palo Alto Networks and Randori work together to provide a mitigation path for this CVE, said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. Bar-Dayan said attacks could use this vulnerability to do quite a bit of damage because thousands of the vulnerable assets are internet-facing.
“A patch is available and the onus is now on PAN customers and their IT security teams to assess risk to the business and move quickly to remediate the risk,” Bar-Dayan said. “Potential impact and vulnerability severity mandate teams should move quickly to patch this one.”
Archie Agarwal, founder and CEO at ThreatModeler, said it’s precisely because of the continual slew of newly found RCE vulnerabilities in popular firewalls and VPNs that the industry has seen the rise of zero-trust approaches. Agarwal said firewalls and VPNs represent the castle-and-moat school of security thought that has failed us over and again for two decades.
“These potential portals to the inner sanctum are beaconing out on the internet for anybody to try to break through,” Agarwal said. “The realization that zero-trust architecture offers the opportunity to cloak entry points is growing —it’s just very difficult to break into something you can’t see. Hopefully the rise of zero-trust architectures will eventually bring an end to these old fortress mentality problems.”
Saryu Nayyar, CEO of Gurucul, added that nobody really expects vulnerabilities in a firewall because they are specifically designed to keep intruders out. However, Nayyar said they are computing devices and are often just as vulnerable as any other network system.
“In this case, security researchers at Randori have found a potentially serious zero-day vulnerability in Palo Alto’s GlobalProtect VPN,” Nayyar said. “This vulnerability lets malicious code bypass validation checks and uses a subsequent buffer overflow to perform remote code execution. Just because an organization has a firewall doesn’t mean that IT staff and SOC analysts can stop being vigilant. Fortunately, Randori worked with Palo Alto Networks before publicizing the defect, and patches are available. However, those using this firewall have to test and install the patches, and networks remain vulnerable to unpatched systems.”
Bill Lawrence, chief information security officer at SecurityGate, added that these vulnerability discoveries were the result of over a year of work and coordination by Randori and Palo Alto.
“This is bad,” Lawrence said. “Thankfully, this announcement shows the value of technical experts ‘red teaming’ popular software and hardware, and then responsibly working with the OEM to fully map out the vulnerabilities so they might have patches to put in place before it is seen in the ‘wilds’ of the internet."
