Researchers person a moving exploit for the vulnerability (now patched), which allows for unauthenticated RCE and affects an estimated 70,000+ VPN/firewalls.
Researchers person developed a moving exploit to summation distant codification execution (RCE) via a monolithic vulnerability successful a information appliance from Palo Alto Networks (PAN), perchance leaving much than 70,000 susceptible firewalls with their goods exposed to the internet.
The captious zero day, tracked arsenic CVE 2021-3064 and scoring a CVSS standing of 9.8 retired of 10 for vulnerability severity, is successful PAN’s GlobalProtect firewall. It allows for unauthenticated RCE connected aggregate versions of PAN-OS 8.1 anterior to 8.1.17, connected some carnal and virtual firewalls.
Randori researchers said successful a Wednesday post that if an attacker successfully exploits the weakness, they tin summation a ammunition connected the targeted system, entree delicate configuration data, extract credentials and more.
After that, attackers tin creation crossed a targeted organization, they said: “Once an attacker has power implicit the firewall, they volition person visibility into the interior web and tin proceed to determination laterally.”
Going by a Shodan hunt of internet-exposed devices, Randori believes determination are “more than 70,000 susceptible instances exposed connected internet-facing assets.”
The Randori Attack Team recovered the zero time a twelvemonth ago, developed a moving exploit and utilized it against Randori customers (with authorization) implicit the past year. Below is the team’s video of the exploit:
Don’t Panic, But Do Patch
Randori has coordinated disclosure with PAN. On Wednesday, PAN published an advisory and an update to spot CVE-2021-3064.
Randori’s besides readying to merchandise much method details connected Wednesday, “once the spot has had capable clip to soak,” and volition contented updates astatine @RandoriAttack connected Twitter, according to its writeup.
While Randori is mounting speech 30 days earlier releasing yet much elaborate method accusation that it usually provides successful its onslaught notes – a grace play for customers to spot oregon upgrade – it did springiness immoderate higher-level details.
Vulnerability Chain Details
Randori said that CVE-2021-3064 is simply a buffer overflow that occurs portion parsing user-supplied input into a fixed-length determination connected the stack. To get to the problematic code, attackers would person to usage an HTTP smuggling technique, researchers explained. Otherwise, it’s not reachable externally.
HTTP petition smuggling is simply a method for interfering with the mode a web tract processes sequences of HTTP requests that are received from 1 oregon much users.
Exploitation of the buffer overflow done successful conjunction with HTTP smuggling unneurotic yields RCE nether the privileges of the affected constituent connected the firewall device, according to Randori’s analysis. The HTTP smuggling wasn’t fixed a CVE identifier, arsenic Palo Alto Networks doesn’t see it a information boundary, they explained.
To exploit the bug, an attacker needs web entree to the instrumentality connected the GlobalProtect work larboard (default larboard 443).
“As the affected merchandise is simply a VPN portal, this larboard is often accessible implicit the Internet,” researchers pointed out.
Virtual firewalls are peculiarly vulnerable, fixed that they deficiency Address Space Layout Randomization (ASLR), the researchers said. “On devices with ASLR enabled (which appears to beryllium the lawsuit successful astir hardware devices), exploitation is hard but possible. On virtualized devices (VM-series firewalls), exploitation is importantly easier owed to deficiency of ASLR and Randori expects nationalist exploits volition surface.” When it comes to definite hard instrumentality versions with MIPS-based absorption level CPUs, Randori researchers haven’t exploited the buffer overflow to execute controlled codification execution, they said, “due to their big endian architecture.” But they noted that “the overflow is reachable connected these devices and tin beryllium exploited to bounds availability of services.”
They referred to PAN’s VM-Series of virtualized firewalls, deployed successful nationalist and backstage unreality computing environments and powered by VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft and Google arsenic perimeter gateways, IPSec VPN termination points and segmentation gateways. PAN describes the firewalls arsenic being designed to forestall threats from moving from workload to workload.
Randori said that the bug affects firewalls moving the 8.1 bid of PAN-OS with GlobalProtect enabled (specifically, arsenic noted above, versions < 8.1.17). The company’s red-team researchers person proved exploitation of the vulnerability concatenation and attained RCE connected some carnal and virtual firewall products.
There’s nary nationalist exploit codification disposable – yet – and determination are some PAN’s spot and menace prevention signatures disposable to artifact exploitation, Randori said.
Exploit Code Sure to Follow
Randori noted that nationalist exploit codification volition apt surface, fixed what tasty targets VPN devices are for malicious actors.
Randori CTO David “moose” Wolpoff has written for Threatpost, explaining wherefore he loves breaking into information appliances and VPNs: After all, they contiguous 1 convenient fastener for attackers to pick, and past presto, they tin invade an enterprise.
The Colonial Pipeline ransomware onslaught is simply a lawsuit successful point, Wolpoff precocious wrote: As Colonial’s CEO told a Senate committee successful June (PDF), attackers were capable to compromise the institution done a bequest VPN account.
“The relationship lacked multi-factor authentication (MFA) and wasn’t successful progressive usage wrong the business,” Wolpoff noted. It’s “a script improbable to beryllium unsocial to the substance pipeline,” helium added.
How Palo Alto Customers Can Mitigate the Threat
Patching arsenic soon arsenic imaginable is of people the apical recommendation, but Randori offered these mitigation options if that’s not doable:
- Enable signatures for Unique Threat IDs 91820 and 91855 connected postulation destined for GlobalProtect portal and gateway interfaces to artifact attacks against this vulnerability.
- If you don’t usage the GlobalProtect VPN information of the Palo Alto firewall, disable it.
- For immoderate internet-facing application:
- Disable oregon region immoderate unused features
- Restrict root IPs allowed to link to services
- Apply layered controls (such arsenic WAF, firewall, entree controls, segmentation)
- Monitor logs and alerts from the device
The ‘Bigger Story:’ Ethically Using a Zero Day
Randori pointed retired that Wolpoff has blogged astir why zero-days are indispensable to security, and the Palo Alto Networks zero time is simply a premier example.
“As the menace from zero-days grows, much and much organizations are asking for realistic ways to hole for and bid against chartless threats, which translates to a request for ethical usage of zero-days,” the researchers said successful their writeup. “When a defender is incapable to spot a flaw, they indispensable trust connected different controls. Real exploits fto them validate those controls, and not simply successful a contrived manner. Real exploits fto customers scrimmage against the aforesaid people of threats they are already facing.”
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is simply a coagulated answer. Join Uptycs and Threatpost connected Tues., Nov. 16 astatine 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive speech with Eric Kaiser, Uptycs’ elder information engineer, astir however this open-source instrumentality tin assistance tame information crossed your organization’s full campus.