Metrics
Affected Vendors & Products
Solution
This issue is fixed in PAN-OS 8.1.20-h1, PAN-OS 9.0.14-h3, PAN-OS 9.1.11-h2, PAN-OS 10.0.8, PAN-OS 10.1.3, and all later PAN-OS versions.
Workaround
Changing the master key for the firewall prevents exploitation of this vulnerability. This is a security best practice for both PAN-OS and Prisma Access customers. Documentation for configuring the master key is available at: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html. Please note the special requirements for high-availability (HA) and Panorama-managed environments. Additional information is available for Prisma Access customers at: https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html. Remove all configured SCEP profiles from the firewall to completely eliminate any risk of exploitation related to this issue. You can view any existing SCEP profiles configured on the firewall by selecting 'Device > Certificate Management > SCEP' from the web interface. This issue requires the attacker to have network access to the GlobalProtect interface. In addition to these workarounds, you should enable signatures for Unique Threat ID 91526 on traffic destined for GlobalProtect interfaces to further mitigate the risk of attacks against CVE-2021-3060. SSL decryption is not necessary to detect attacks against this issue.
No history.

Status: PUBLISHED
Assigner: palo_alto
Published:
Updated: 2024-09-16T18:56:09.537Z
Reserved: 2021-01-06T00:00:00
Link: CVE-2021-3060

No data.

Status : Modified
Published: 2021-11-10T17:15:10.157
Modified: 2024-11-21T06:20:52.560
Link: CVE-2021-3060

No data.

No data.