CVE-2021-3062 – An improper access control vulnerability in PAN... (How to Fix)

Q: How do I fix CVE-2021-3062?

1. Download appropriate PAN-OS patch version from Palo Alto support portal. 2. Upload software to firewall. 3. Install update via CLI or WebUI. 4. Reboot firewall to complete installation.

Q: What is the severity of CVE-2021-3062?

CVE-2021-3062 has a CVSS score of 8.1 (HIGH). An improper access control vulnerability in PAN-OS allows authenticated GlobalProtect users to access the EC2 instance metadata endpoint on AWS-hosted VM-Series firewalls. This enables attackers to perform any operations allowed by the EC2 role in AWS, potentially leading to cloud resource compromise. Affected systems include PAN-OS 8.1, 9.0, 9.1, and 10.0 versions before specific patch releases on VM-Series firewalls hosted on Amazon AWS.

📋 TL;DR

An improper access control vulnerability in PAN-OS allows authenticated GlobalProtect users to access the EC2 instance metadata endpoint on AWS-hosted VM-Series firewalls. This enables attackers to perform any operations allowed by the EC2 role in AWS, potentially leading to cloud resource compromise. Affected systems include PAN-OS 8.1, 9.0, 9.1, and 10.0 versions before specific patch releases on VM-Series firewalls hosted on Amazon AWS.

💻 Affected Systems

Products:

PAN-OS VM-Series firewalls

Versions: PAN-OS 8.1 < 8.1.20, PAN-OS 9.0 < 9.0.14, PAN-OS 9.1 < 9.1.11, PAN-OS 10.0 < 10.0.8

Operating Systems: PAN-OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects VM-Series firewalls hosted on Amazon AWS. Prisma Access customers are not impacted. Requires authenticated GlobalProtect access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of AWS resources associated with the EC2 role, including data exfiltration, service disruption, lateral movement within the cloud environment, and potential account takeover.

🟠

Likely Case

Unauthorized access to sensitive AWS metadata, credential theft from instance metadata service, and potential privilege escalation within the AWS environment.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal EC2 role permissions, and monitoring of metadata service access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to GlobalProtect portals/gateways. The vulnerability allows straightforward access to EC2 metadata endpoint once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PAN-OS 8.1.20, 9.0.14, 9.1.11, 10.0.8 or later

Vendor Advisory: https://security.paloaltonetworks.com/CVE-2021-3062

Restart Required: Yes

Instructions:

1. Download appropriate PAN-OS patch version from Palo Alto support portal. 2. Upload software to firewall. 3. Install update via CLI or WebUI. 4. Reboot firewall to complete installation.

🔧 Temporary Workarounds

Restrict GlobalProtect Access

all

Limit GlobalProtect portal/gateway access to trusted users only using authentication and authorization controls.

Minimize EC2 Role Permissions

all

Apply principle of least privilege to EC2 instance roles to limit potential damage from metadata access.

🧯 If You Can't Patch

Implement strict network controls to block access to EC2 metadata endpoint (169.254.169.254) from GlobalProtect interfaces
Enhance monitoring for unusual metadata service access patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check PAN-OS version via WebUI (Device > Setup > Operations) or CLI (show system info). Compare against affected versions list.

Check Version:

show system info | match version

Verify Fix Applied:

Verify PAN-OS version is at or above patched versions: 8.1.20, 9.0.14, 9.1.11, or 10.0.8.

📡 Detection & Monitoring

Log Indicators:

Unusual access to EC2 metadata endpoint from GlobalProtect IPs
Authentication logs showing unexpected GlobalProtect user access

Network Indicators:

HTTP requests to 169.254.169.254 from firewall interfaces
Increased metadata service traffic

SIEM Query:

source_ip IN (GlobalProtect_IPs) AND dest_ip = '169.254.169.254' AND http_method = 'GET'

📊 Metadata

CVE ID: CVE-2021-3062

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

https://security.paloaltonetworks.com/CVE-2021-3062 Vendor Advisory
https://security.paloaltonetworks.com/CVE-2021-3062 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3062, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pan Os by Paloaltonetworks

Pan Os by Paloaltonetworks

Pan Os by Paloaltonetworks

Pan Os by Paloaltonetworks

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict GlobalProtect Access

Minimize EC2 Role Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities