CVE-2021-3048 – PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage
https://notcve.org/view.php?id=CVE-2021-3048
Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted. • https://security.paloaltonetworks.com/CVE-2020-3048 https://security.paloaltonetworks.com/CVE-2021-3048 • CWE-20: Improper Input Validation •
CVE-2021-3047 – PAN-OS: Weak Cryptography Used in Web Interface Authentication
https://notcve.org/view.php?id=CVE-2021-3047
A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted. Es usado un generador de números pseudoaleatorios (PRNG) débil desde el punto de vista criptográfico durante la autenticación en la interfaz web de PAN-OS de Palo Alto Networks. • https://security.paloaltonetworks.com/CVE-2021-3047 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVE-2021-3046 – PAN-OS: Improper SAML Authentication Vulnerability in GlobalProtect Portal
https://notcve.org/view.php?id=CVE-2021-3046
An improper authentication vulnerability exists in Palo Alto Networks PAN-OS software that enables a SAML authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 10.1 versions are not impacted. Se presenta una vulnerabilidad de autenticación inapropiada en el software PAN-OS de Palo Alto Networks, que permite a un atacante con autenticación SAML hacerse pasar por cualquier otro usuario en GlobalProtect Portal y GlobalProtect Gateway cuando están configurados para usar la autenticación SAML. Este problema afecta a: PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.19; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.9; PAN-OS versiones 10.0 anteriores a PAN-OS 10.0.5. • https://security.paloaltonetworks.com/CVE-2021-3046 • CWE-287: Improper Authentication •
CVE-2021-3045 – PAN-OS: OS Command Argument Injection in Web Interface
https://notcve.org/view.php?id=CVE-2021-3045
An OS command argument injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10. PAN-OS 10.0 and later versions are not impacted. Una vulnerabilidad de inyección de argumentos de comandos del Sistema Operativo en la interfaz web de PAN-OS de Palo Alto Networks, permite a un administrador autenticado leer cualquier archivo arbitrario del sistema de archivos. Este problema afecta a: PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.19; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.10. • https://security.paloaltonetworks.com/CVE-2021-3045 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2021-3037 – PAN-OS: Secrets for scheduled configuration exports are logged in system logs
https://notcve.org/view.php?id=CVE-2021-3037
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server. Se presenta una vulnerabilidad de exposición de información por medio de archivos de registro en el software PAN-OS de Palo Alto Networks, donde los detalles de conexión para una exportación de configuración programada son registrados en registros del sistema. La información registrada incluye el nombre de usuario en texto sin cifrar, la contraseña y la dirección IP usada para exportar la configuración de PAN-OS al servidor de destino • https://security.paloaltonetworks.com/CVE-2021-3037 • CWE-532: Insertion of Sensitive Information into Log File CWE-534: DEPRECATED: Information Exposure Through Debug Log Files •