CVE-2021-3048 : Security Advisory and Response

A vulnerability in Palo Alto Networks PAN-OS software could allow attackers to cause a denial-of-service condition on affected firewalls.

Understanding CVE-2021-3048

This CVE relates to invalid URLs in an External Dynamic List (EDL) that may lead to a firewall outage.

What is CVE-2021-3048?

An issue in PAN-OS versions prior to 9.0.14, 9.1.9, and 10.0.5 could cause the Device Server daemon to stop responding, leading to firewall configuration failures and a denial-of-service condition if the firewall restarts.

The Impact of CVE-2021-3048

This vulnerability poses a medium severity threat with a CVSS base score of 5.9, affecting firewalls running specific PAN-OS versions.

Technical Details of CVE-2021-3048

This CVE involves improper input validation (CWE-20) where invalid URL entries disrupt the firewall's operation, impacting certain PAN-OS versions.

Vulnerability Description

Invalid URLs in configured External Dynamic Lists can cause the Device Server daemon to stop responding, leading to firewall outages.

Affected Systems and Versions

PAN-OS versions earlier than 9.0.14, 9.1.9, and 10.0.5 are vulnerable to this issue.

Exploitation Mechanism

Attackers can exploit this vulnerability by inserting invalid URL entries into EDL configurations, triggering a denial-of-service condition.

Mitigation and Prevention

Proactively addressing this vulnerability is crucial to maintaining firewall security.

Immediate Steps to Take

Update PAN-OS to versions 9.0.14, 9.1.9, or 10.0.5, or later. Remove invalid URL entries from EDL configurations.

Long-Term Security Practices

Regularly update PAN-OS and avoid configuring EDLs from untrustworthy sources.

Patching and Updates

Ensure continuous monitoring for security updates and apply patches promptly to prevent potential vulnerabilities.