Login Sign Up

CVE-2021-3056

8.8 HIGH
Remote Code Execution

📋 TL;DR

A memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Clientless VPN allows authenticated attackers to execute arbitrary code with root privileges during SAML authentication. This affects PAN-OS versions 8.1 before 8.1.20, 9.0 before 9.0.14, 9.1 before 9.1.9, and 10.0 before 10.0.1, as well as Prisma Access 2.1 Preferred firewalls.

💻 Affected Systems

Products:
  • Palo Alto Networks PAN-OS
  • Prisma Access
Versions: PAN-OS 8.1 < 8.1.20, 9.0 < 9.0.14, 9.1 < 9.1.9, 10.0 < 10.0.1; Prisma Access 2.1 Preferred
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SAML authentication configuration and authenticated attacker access.

📦 What is this software?

Pan Os by Paloaltonetworks

View all CVEs affecting Pan Os →

Pan Os by Paloaltonetworks

View all CVEs affecting Pan Os →

Pan Os by Paloaltonetworks

View all CVEs affecting Pan Os →

Pan Os by Paloaltonetworks

View all CVEs affecting Pan Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level code execution, allowing attackers to steal credentials, pivot to internal networks, or deploy ransomware.

🟠

Likely Case

Privilege escalation leading to data exfiltration, lateral movement, or persistent backdoor installation.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access and specific SAML configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PAN-OS 8.1.20, 9.0.14, 9.1.9, 10.0.1

Vendor Advisory: https://security.paloaltonetworks.com/CVE-2021-3056

Restart Required: Yes

Instructions:

1. Download appropriate PAN-OS version from Palo Alto support portal. 2. Upload to firewall. 3. Install update via CLI or web interface. 4. Reboot firewall.

🔧 Temporary Workarounds

Disable Clientless VPN

all

Temporarily disable GlobalProtect Clientless VPN feature if not required.

Restrict SAML Authentication

all

Limit SAML authentication to trusted identity providers only.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate VPN traffic.
  • Enable detailed logging and monitoring for SAML authentication anomalies.

🔍 How to Verify

Check if Vulnerable:

Check PAN-OS version via web interface or CLI command 'show system info'.

Check Version:

show system info | match version

Verify Fix Applied:

Confirm PAN-OS version is 8.1.20, 9.0.14, 9.1.9, or 10.0.1 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SAML authentication patterns
  • Multiple failed authentication attempts from single source
  • Unexpected process execution on firewall

Network Indicators:

  • Anomalous traffic from VPN endpoints
  • Unexpected outbound connections from firewall

SIEM Query:

source="pan-firewall" AND (event_type="authentication" AND result="failure") AND saml_auth=true

📊 Metadata

CVE ID: CVE-2021-3056
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: November 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3056, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)