CVE-2021-3059
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | PAN-OS | 10.0 < 10.0.8 | affected |
| Palo Alto Networks | PAN-OS | 10.1 < 10.1.3 | affected |
| Palo Alto Networks | PAN-OS | 8.1 < 8.1.20-h1 | affected |
| Palo Alto Networks | PAN-OS | 9.0 < 9.0.14-h3 | affected |
| Palo Alto Networks | PAN-OS | 9.1 < 9.1.11-h2 | affected |
| Palo Alto Networks | Prisma Access | 2.1 Innovation | affected |
| Palo Alto Networks | Prisma Access | 2.1 Preferred | affected |
| Palo Alto Networks | Prisma Access | all < 2.2* | unaffected |
Weaknesses
- CWE-78: CWE-78 OS Command Injection
Workarounds
You can disable scheduled dynamic updates for the firewall at 'Device Deployment > Dynamic Updates' in the web interface. Choosing not to receive dynamic updates will minimize your exposure to this vulnerability until you upgrade the PAN-OS firewall to a fixed version.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.