PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates

CVE-2021-3059

8.1HIGH

Key Information

Vendor: Palo Alto Networks
Status: Pan-os; Prisma Access
Vendor: CVE Published:; 10 November 2021

Badges

👾 Exploit Exists

Summary

An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue.

Affected Version(s)

PAN-OS < 10.0.8

PAN-OS < 10.1.3

PAN-OS < 8.1.20-h1

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Aug 3, 2024
Initial publication
Nov 10, 2021
Vulnerability published.
Nov 10, 2021
Vulnerability Reserved.
Jan 6, 2021

Collectors

NVD DatabaseMitre Database

Credit

Palo Alto Networks thanks CJ, an external security researcher, for discovering and reporting this issue.