About 10,000 enterprise servers running Palo Alto Networks’ GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10.
Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret.
CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.
“Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more,” researchers from Randori wrote on Wednesday. “Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.”
Over the past few years, hackers have actively exploited vulnerabilities in a raft of enterprise firewalls and VPNs from the likes of Citrix, Microsoft, and Fortinet, government agencies warned earlier this year. Similar enterprise products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, Palo Alto Networks’ GlobalProtect may be poised to join the list.
A GlobalProtect portal provides management functions that lock down network endpoints and secures information about available gateways and any available certificates that may be required to connect to them. The portal also controls the behavior and distribution of the GlobalProtect app software to both macOS and Windows endpoints.
CVE-2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located. While those versions are more than a year old, Randori said that data provided by Shodan showed that an estimated 10,000 Internet-connected servers are running them (an estimate from an earlier version of the post put the number at 70,000). Independent researcher Kevin Beaumont said that Shodan searches he performed indicated that roughly half of all GlobalProtect instances seen by Shodan were vulnerable.
The overflow occurs when the software parses user-supplied input in a fixed-length location on the stack. The buggy code can’t be accessed externally without utilizing what’s known as HTTP smuggling, an exploit technique that interferes with the way a website processes sequences of HTTP requests. The vulnerabilities arise when a website’s frontend and backend interpret the boundary of an HTTP request differently, and the error causes them to desynchronize.
The confusion is usually the result of code libraries that deviate from specifications when dealing with both the Content-Length and the Transfer-Encoding header. In the process, parts of a request may be appended to a later one that allows the response of the smuggled request to be provided to another user. Request smuggling vulnerabilities are often critical because they allow an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.
“A pretty gaping hole,” independent security researcher David Longenecker wrote of the GlobalProtect bug on Twitter. “And the sort of hole that the nastiest of actors have been exploiting in just about every remote access product over the last few years.”
Randori said that the risk is particularly acute for virtual versions of the vulnerable product because it doesn’t have address space layout randomization—a security mechanism typically abbreviated as ASLR designed to greatly lessen the chances of successful exploitation—enabled.
“On devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible,” Randori researchers wrote. “On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface. Randori researchers have not exploited the buffer overflow to result in controlled code execution on certain hardware device versions with MIPS-based management plane CPUs due to their big endian architecture, though the overflow is reachable on these devices and can be exploited to limit availability of services.”
What took you so long?
Randori’s post said company researchers discovered the buffer overflow and the HTTP smuggling flaw last November. A couple weeks later, the company “began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.”
“Red team tools and techniques, including zero-day exploits, are necessary to the success of our customers and the cybersecurity world as a whole,” Randori CTO David Wolpoff wrote in a post. “However, like any offensive tooling, vulnerability information must be handled carefully and with the respect it is due. Our mission is to provide a highly valuable experience to our customers, while also recognizing and managing the associated risks.”
Palo Alto Networks has a short writeup here. In an email, company officials wrote: “The security of our customers is our top priority. The security advisory released today addresses a vulnerability that may impact customers using old versions of PAN-OS (8.1.16 and earlier). We took immediate steps to implement mitigations. As outlined in the security advisory, we are not aware of any malicious attempts to exploit the vulnerability. We strongly encourage following best practices to keep systems updated and thank the researchers for alerting us and sharing their findings.”
Any organization that uses the Palo Alto Networks GlobalProtect platform should review the Randori advisory carefully and patch any vulnerable servers as soon as possible.