CVE-2021-3059
published 2021-11-10CVE-2021-3059: An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables…
PriorityP351high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
1.54%
71.8th percentile
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.0 < 10.0.8 | 10.0.8 |
| palo_alto_networks | pan-os | >= 10.1 < 10.1.3 | 10.1.3 |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.20-h1 | 8.1.20-h1 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.14-h3 | 9.0.14-h3 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.11-h2 | 9.1.11-h2 |
| palo_alto_networks | prisma_access | — | — |
| palo_alto_networks | prisma_access | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | >= 10.0.0 < 10.0.8 | 10.0.8 |
| paloaltonetworks | pan-os | >= 10.1.0 < 10.1.3 | 10.1.3 |
| paloaltonetworks | pan-os | 8.1.0 – 8.1.20 | — |
| paloaltonetworks | pan-os | 9.0.0 – 9.0.14 | — |
| paloaltonetworks | pan-os | 9.1.0 – 9.1.11 | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates
vendor_paloalto·2021-11-10·CVSS 8.1
CVE-2021-3059 [HIGH] CWE-78 PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates
PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges.
Affected products: PAN-OS, Prisma Access
Solution: This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
Workaround: Updating dynamic content from a local file will prevent exposure to this vulnerability until you are able to upgrade PAN-OS firewalls and Panorama to a fixed version. You can disable scheduled dynamic updates in the web interface.
Push content updates from Panorama to the
GHSA
GHSA-56p7-mg8r-j8fj: An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates
ghsa_unreviewed·2022-05-24
CVE-2021-3059 [HIGH] CWE-78 GHSA-56p7-mg8r-j8fj: An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates
An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-11-10
Published