// For flags

CVE-2021-3031

PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets. This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001. This issue impacts: PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.

Los bytes de relleno en los paquetes Ethernet en los firewalls PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series y PA-7000 Series, no son borrados antes de que se cree la trama de datos. Esto filtra una pequeña cantidad de información aleatoria de la memoria del firewall para los paquetes Ethernet. Un atacante en la misma subred Ethernet que el firewall PAN-OS puede recopilar información potencialmente confidencial de estos paquetes. Este problema también se conoce como Etherleak y los escáneres de seguridad lo detectan como CVE-2003-0001. Este problema afecta: PAN-OS 8.1 versiones anteriores a PAN-OS 8.1.18; PAN-OS 9.0 versiones anteriores a PAN-OS 9.0.12; PAN-OS 9.1 versiones anteriores a PAN-OS 9.1.5.

*Credits: This issue was found by a customer of Palo Alto Networks during a security review.
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Adjacent
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-06 CVE Reserved
  • 2021-01-13 CVE Published
  • 2023-09-29 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-200
Search vendor "Paloaltonetworks" for product "Pa-200"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-2020
Search vendor "Paloaltonetworks" for product "Pa-2020"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-2050
Search vendor "Paloaltonetworks" for product "Pa-2050"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-220
Search vendor "Paloaltonetworks" for product "Pa-220"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3020
Search vendor "Paloaltonetworks" for product "Pa-3020"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3050
Search vendor "Paloaltonetworks" for product "Pa-3050"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3060
Search vendor "Paloaltonetworks" for product "Pa-3060"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3220
Search vendor "Paloaltonetworks" for product "Pa-3220"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3250
Search vendor "Paloaltonetworks" for product "Pa-3250"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3260
Search vendor "Paloaltonetworks" for product "Pa-3260"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-500
Search vendor "Paloaltonetworks" for product "Pa-500"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-5200
Search vendor "Paloaltonetworks" for product "Pa-5200"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.18
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.18"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-800
Search vendor "Paloaltonetworks" for product "Pa-800"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-200
Search vendor "Paloaltonetworks" for product "Pa-200"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-2020
Search vendor "Paloaltonetworks" for product "Pa-2020"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-2050
Search vendor "Paloaltonetworks" for product "Pa-2050"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-220
Search vendor "Paloaltonetworks" for product "Pa-220"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3020
Search vendor "Paloaltonetworks" for product "Pa-3020"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3050
Search vendor "Paloaltonetworks" for product "Pa-3050"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3060
Search vendor "Paloaltonetworks" for product "Pa-3060"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3220
Search vendor "Paloaltonetworks" for product "Pa-3220"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3250
Search vendor "Paloaltonetworks" for product "Pa-3250"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3260
Search vendor "Paloaltonetworks" for product "Pa-3260"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-500
Search vendor "Paloaltonetworks" for product "Pa-500"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-5200
Search vendor "Paloaltonetworks" for product "Pa-5200"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 < 9.0.12
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.12"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-800
Search vendor "Paloaltonetworks" for product "Pa-800"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-200
Search vendor "Paloaltonetworks" for product "Pa-200"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-2020
Search vendor "Paloaltonetworks" for product "Pa-2020"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-2050
Search vendor "Paloaltonetworks" for product "Pa-2050"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-220
Search vendor "Paloaltonetworks" for product "Pa-220"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3020
Search vendor "Paloaltonetworks" for product "Pa-3020"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3050
Search vendor "Paloaltonetworks" for product "Pa-3050"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3060
Search vendor "Paloaltonetworks" for product "Pa-3060"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3220
Search vendor "Paloaltonetworks" for product "Pa-3220"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3250
Search vendor "Paloaltonetworks" for product "Pa-3250"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-3260
Search vendor "Paloaltonetworks" for product "Pa-3260"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-500
Search vendor "Paloaltonetworks" for product "Pa-500"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-5200
Search vendor "Paloaltonetworks" for product "Pa-5200"
--
Safe
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.5
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.5"
-
Affected
in Paloaltonetworks
Search vendor "Paloaltonetworks"
Pa-800
Search vendor "Paloaltonetworks" for product "Pa-800"
--
Safe