CVE-2021-3062

PAN-OS: Improper Access Control Vulnerability Exposing AWS Instance Metadata Endpoint to GlobalProtect Users

Description

An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue.

Remediation

Solution:

This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions

Workaround:

There are no known workarounds for this issue.

References

Link	Tags
https://security.paloaltonetworks.com/CVE-2021-3062	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-3062?: CVE-2021-3062 has been scored as a high severity vulnerability.
How to fix CVE-2021-3062?: To fix CVE-2021-3062: This issue is fixed in PAN-OS 8.1.20, PAN-OS 9.0.14, PAN-OS 9.1.11, PAN-OS 10.0.8, and all later PAN-OS versions
Is CVE-2021-3062 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-3062 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-3062?: CVE-2021-3062 affects Palo Alto Networks PAN-OS, Palo Alto Networks Prisma Access.

Description

Remediation

Category

CWE-284 – Improper Access Control

References

Frequently Asked Questions