CVE-2021-3031

Summary

Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets. This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001. This issue impacts: PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS8.1 < 8.1.18affected
Palo Alto NetworksPAN-OS9.0 < 9.0.12affected
Palo Alto NetworksPAN-OS9.1 < 9.1.5affected
Palo Alto NetworksPAN-OS10.0.*unaffected
Palo Alto NetworksPAN-OS8.1.18 < 8.1*unaffected
Palo Alto NetworksPAN-OS9.0.12 < 9.0*unaffected
Palo Alto NetworksPAN-OS9.1.5 < 9.1*unaffected

Weaknesses

  • CWE-200: CWE-200 Information Exposure

Workarounds

There is no workaround to prevent the information leak in the Ethernet packets; however, restricting access to the networks mitigates the risk of this issue.

ADP Enrichment

CVE Program Container

Additional References

References