Palo Alto Networks has released a critical patch for their firewalls with GlobalProtect Portal or Gateway interfaces. With a critical severity rating of 9.8, this memory corruption vulnerability could allow an attacker to execute remote code on the firewall with root privileges.
According to the security advisory published by Palo Alto Networks:
This issue is an RCE vulnerability. This issue enables an unauthenticated network-based attacker with access to a GlobalProtect interface to execute arbitrary code with root user privileges.
The vulnerability was discovered by security researchers at Randori who have published a summary of the flaw, and will be disclosing full details in December (giving affected customers time to apply patches). For now we understand that the attack vector utilises HTTP request smuggling.
HTTP request smuggling is a technique that exploits a conflict that can occur between the interpretation of HTTP header elements when two or more HTTP servers are arranged in sequence – such as a web server sat behind a load balancer or firewall. By taking advantage of the inconsistent way
Transfer-encoding headers are processed, a request can be sent that is interpreted as one request by the first server but is seen as two different requests by the second server. The additional request is ‘smuggled’ within the body of the first request.
The vulnerability is tracked as CVE-2021-3064 and affects devices running PAN-OS versions prior to 8.1.17.