CVE-2021-3031
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets. This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001. This issue impacts: PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | PAN-OS | 8.1 < 8.1.18 | affected |
| Palo Alto Networks | PAN-OS | 9.0 < 9.0.12 | affected |
| Palo Alto Networks | PAN-OS | 9.1 < 9.1.5 | affected |
| Palo Alto Networks | PAN-OS | 10.0.* | unaffected |
| Palo Alto Networks | PAN-OS | 8.1.18 < 8.1* | unaffected |
| Palo Alto Networks | PAN-OS | 9.0.12 < 9.0* | unaffected |
| Palo Alto Networks | PAN-OS | 9.1.5 < 9.1* | unaffected |
Weaknesses
- CWE-200: CWE-200 Information Exposure
Workarounds
There is no workaround to prevent the information leak in the Ethernet packets; however, restricting access to the networks mitigates the risk of this issue.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.