cbcvebase.
CVE-2021-3060
published 2021-11-10

CVE-2021-3060: An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based…

PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
33.88%
98.2th percentile
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.

Affected

15 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.0 < 10.0.810.0.8
palo_alto_networkspan-os>= 10.1 < 10.1.310.1.3
palo_alto_networkspan-os>= 8.1 < 8.1.20-h18.1.20-h1
palo_alto_networkspan-os>= 9.0 < 9.0.14-h39.0.14-h3
palo_alto_networkspan-os>= 9.1 < 9.1.11-h29.1.11-h2
palo_alto_networksprisma_access
palo_alto_networksprisma_access
paloaltopan-os
paloaltoprisma_access
paloaltonetworkspan-os>= 10.0.0 < 10.0.810.0.8
paloaltonetworkspan-os>= 10.1.0 < 10.1.310.1.3
paloaltonetworkspan-os8.1.0 – 8.1.20
paloaltonetworkspan-os9.0.0 – 9.0.14
paloaltonetworkspan-os9.1.0 – 9.1.11
paloaltonetworksprisma_access

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker must have network access to GlobalProtect interfaces to exploit this SCEP OS command injection vulnerability; monitor and restrict inbound traffic to GlobalProtect interfaces from untrusted networks
  • Exploitation targets the SCEP feature of PAN-OS; detect anomalous or unexpected SCEP requests (HTTP/HTTPS) arriving at GlobalProtect interfaces, especially from unauthenticated sources
  • Successful exploitation results in arbitrary code execution as root; monitor PAN-OS devices for unexpected root-level process spawning or unusual child processes from SCEP/web-facing daemons
  • ·Changing the master key for the firewall prevents exploitation; this is a documented workaround and security best practice for both PAN-OS and Prisma Access customers
  • ·Attacker requires specific knowledge of the firewall configuration to exploit; exposure is reduced for firewalls with non-default or undisclosed SCEP configurations
  • ·Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewall deployments are also impacted, not just on-premises PAN-OS
  • ·Special requirements apply for high-availability (HA) and Panorama-managed environments when applying the master key workaround

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.