CVE-2021-3033
📋 TL;DR
CVE-2021-3033 is an authentication bypass vulnerability in Palo Alto Networks Prisma Cloud Compute console that allows attackers to log in as any authorized user by exploiting improper SAML signature validation. This affects on-premises deployments of Prisma Cloud Compute versions 19.11, 20.04, 20.09, and 20.12 before update 1. The SaaS version is not vulnerable.
💻 Affected Systems
- Palo Alto Networks Prisma Cloud Compute Console
📦 What is this software?
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
Prisma Cloud by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Prisma Cloud Compute console, allowing attackers to access sensitive cloud security data, modify security policies, and potentially pivot to managed cloud environments.
Likely Case
Unauthorized access to the management console leading to data exfiltration, privilege escalation, and manipulation of cloud security configurations.
If Mitigated
Limited impact if console access is restricted to internal networks with strong network segmentation and monitoring.
🎯 Exploit Status
The vulnerability allows bypassing authentication entirely, making exploitation straightforward for attackers with network access to the console.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update 1 for version 20.12 or later versions
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2021-3033
Restart Required: Yes
Instructions:
1. Upgrade to Prisma Cloud Compute 20.12 update 1 or later. 2. Apply the update through the console or CLI. 3. Restart the Prisma Cloud Compute services. 4. Verify the fix by testing SAML authentication.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to the Prisma Cloud Compute console to trusted IP addresses only
Configure firewall rules to allow only specific source IPs to access the console port (typically 443)
Disable SAML Authentication
allTemporarily disable SAML authentication if not required, using local authentication instead
Navigate to Settings > Authentication > SAML and disable SAML authentication
🧯 If You Can't Patch
- Immediately restrict network access to the console using firewall rules to only allow trusted administrative IPs
- Implement additional authentication layers such as VPN or reverse proxy with MFA before accessing the console
🔍 How to Verify
Check if Vulnerable:
Check your Prisma Cloud Compute version in the console dashboard or via CLI command: 'pcc version'. If version is 19.11, 20.04, 20.09, or 20.12 without update 1, you are vulnerable.Check Version:
pcc versionVerify Fix Applied:
After patching, verify version shows 20.12 update 1 or later. Test SAML authentication to confirm proper signature validation.📡 Detection & Monitoring
Log Indicators:
- Unusual login patterns, multiple failed SAML authentication attempts followed by successful login from unexpected IPs
- SAML authentication logs showing signature validation bypass
Network Indicators:
- Unauthorized access attempts to the console port (typically 443) from unexpected sources
- SAML authentication traffic patterns that bypass normal validation
SIEM Query:
source="prisma-cloud" AND (event_type="authentication" AND result="success") AND src_ip NOT IN [trusted_admin_ips]