CVE-2021-3060
published 2021-11-10CVE-2021-3060: An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based…
PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
33.88%
98.2th percentile
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.0 < 10.0.8 | 10.0.8 |
| palo_alto_networks | pan-os | >= 10.1 < 10.1.3 | 10.1.3 |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.20-h1 | 8.1.20-h1 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.14-h3 | 9.0.14-h3 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.11-h2 | 9.1.11-h2 |
| palo_alto_networks | prisma_access | — | — |
| palo_alto_networks | prisma_access | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | >= 10.0.0 < 10.0.8 | 10.0.8 |
| paloaltonetworks | pan-os | >= 10.1.0 < 10.1.3 | 10.1.3 |
| paloaltonetworks | pan-os | 8.1.0 – 8.1.20 | — |
| paloaltonetworks | pan-os | 9.0.0 – 9.0.14 | — |
| paloaltonetworks | pan-os | 9.1.0 – 9.1.11 | — |
| paloaltonetworks | prisma_access | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker must have network access to GlobalProtect interfaces to exploit this SCEP OS command injection vulnerability; monitor and restrict inbound traffic to GlobalProtect interfaces from untrusted networks ↗
- →Exploitation targets the SCEP feature of PAN-OS; detect anomalous or unexpected SCEP requests (HTTP/HTTPS) arriving at GlobalProtect interfaces, especially from unauthenticated sources ↗
- →Successful exploitation results in arbitrary code execution as root; monitor PAN-OS devices for unexpected root-level process spawning or unusual child processes from SCEP/web-facing daemons ↗
- ·Changing the master key for the firewall prevents exploitation; this is a documented workaround and security best practice for both PAN-OS and Prisma Access customers ↗
- ·Attacker requires specific knowledge of the firewall configuration to exploit; exposure is reduced for firewalls with non-default or undisclosed SCEP configurations ↗
- ·Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewall deployments are also impacted, not just on-premises PAN-OS ↗
- ·Special requirements apply for high-availability (HA) and Panorama-managed environments when applying the master key workaround ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xhxm-4vx2-mf6c: An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated networ
ghsa_unreviewed·2022-05-24
CVE-2021-3060 [HIGH] CWE-78 GHSA-xhxm-4vx2-mf6c: An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated networ
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.
Palo Alto
PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)
vendor_paloalto·2021-11-10·CVSS 8.1
CVE-2021-3060 [HIGH] CWE-78 PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)
PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue.
Affected products: PAN-OS, Prisma Access
Solution: This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
Workaround: Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Acce
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.htmlhttps://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.htmlhttps://security.paloaltonetworks.com/CVE-2021-3060https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.htmlhttps://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.htmlhttps://security.paloaltonetworks.com/CVE-2021-3060
2021-11-10
Published