Researchers with cybersecurity firm Randori have discovered a remote code execution vulnerability in Palo Alto Networks firewalls using the GlobalProtect Portal VPN.
The zero-day — which has a severity rating of 9.8 — allows for unauthenticated remote code execution on vulnerable installations of the product.
The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17 and Randori said it found numerous vulnerable instances exposed on internet-facing assets, in excess of 70,000 assets.
Palo Alto has released an update that patches CVE-2021-3064 after being notified about the issue in September.
Aaron Portnoy, principal scientist at Randori, told ZDNet that the original catalyst for their research into Palo Alto Networks firewalls was the identification of its presence on customer perimeters.
“Randori believes the best way to identify potential points of attack is to assess the attack surface. We then devoted resources into assessing the attack surface of the firewall itself in a lab environment. This process allowed us to identify the components an attacker would have to exploit in order to compromise the device,” Portnoy explained.
“As is the case with many closed-source products, simply setting up an environment in which to develop an exploit is challenging. Complex products such as PAN firewalls include protections that make this process difficult regardless of the vulnerability. We have found the overall security posture of the affected devices to be on par with other vendors in the space.”
Portnoy said that exploitation is difficult but possible on devices with ASLR enabled, which appears to be the case in most hardware devices.
“On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface,” Portnoy said.
According to Portnoy, in October 2020 his team was tasked with researching vulnerabilities with the GlobalProtect Portal VPN. By November 2020, his team discovered CVE-2021-3064, began authorized exploitation of Randori customers, and successfully landed it at one of their customers — over the internet — not just in a lab.
The exploit gains root privileges — complete control over the device — and can execute arbitrary code. Portnoy said his team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials and more while moving laterally from there and gaining visibility into the internal network. Portnoy estimates that the vulnerability would be worth several hundred thousand dollars on the black market.
Portnoy and Randori touted the situation as an example of the ethical use of zero-days to protect companies from the kind of threats they face from nation-state actors.
