// For flags

CVE-2021-3047

PAN-OS: Weak Cryptography Used in Web Interface Authentication

Severity Score

3.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted.

Es usado un generador de números pseudoaleatorios (PRNG) débil desde el punto de vista criptográfico durante la autenticación en la interfaz web de PAN-OS de Palo Alto Networks. Esto permite a un atacante autenticado, con capacidad para observar sus propios secretos de autenticación durante un tiempo prolongado en el dispositivo PAN-OS, hacerse pasar por la sesión de otro administrador de la interfaz web autenticado. Este problema afecta a: PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.19; PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.10; PAN-OS versiones 10.0 anteriores a PAN-OS 10.0.4. PAN-OS versiones 10.1 no están afectadas

*Credits: Palo Alto Networks thanks Google Security for discovering and reporting this issue.
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-06 CVE Reserved
  • 2021-08-11 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://security.paloaltonetworks.com/CVE-2021-3047 2021-08-19
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Paloaltonetworks
Search vendor "Paloaltonetworks"
 Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
 >= 8.1.0 < 8.1.19
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.19"
-
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
 Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
 >= 9.0.0 < 9.0.14
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 < 9.0.14"
-
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
 Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
 >= 9.1.0 < 9.1.10
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.10"
-
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
 Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
 >= 10.0.0 < 10.0.4
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.0.0 < 10.0.4"
-
Affected