CVE-2021-3031: PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)
First published: Wed Jan 13 2021(Updated: )
Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets. This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001. This issue impacts: PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Paloaltonetworks Pan-os | >=8.1.0<8.1.18 | |
| Paloaltonetworks Pan-os | >=9.0.0<9.0.12 | |
| Paloaltonetworks Pan-os | >=9.1.0<9.1.5 | |
| Paloaltonetworks Pa-200 | ||
| Paloaltonetworks Pa-2020 | ||
| Paloaltonetworks Pa-2050 | ||
| Paloaltonetworks Pa-220 | ||
| Paloaltonetworks Pa-3020 | ||
| Paloaltonetworks Pa-3050 | ||
| Paloaltonetworks Pa-3060 | ||
| Paloaltonetworks Pa-3220 | ||
| Paloaltonetworks Pa-3250 | ||
| Paloaltonetworks Pa-3260 | ||
| Paloaltonetworks Pa-500 | ||
| Paloaltonetworks Pa-5200 | ||
| Paloaltonetworks Pa-800 |
Remedy
This issue is fixed in PAN-OS 8.1.18, PAN-OS 9.0.12, PAN-OS 9.1.5, and all later PAN-OS versions.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-3031?
CVE-2021-3031 is a vulnerability in Palo Alto Networks firewalls that allows for leakage of random information from firewall memory into Ethernet packets due to padding bytes not being cleared.
Which products are affected by CVE-2021-3031?
PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are affected by CVE-2021-3031.
How severe is CVE-2021-3031?
CVE-2021-3031 has a severity rating of 4.3, which is considered medium.
How can I fix CVE-2021-3031?
To fix CVE-2021-3031, Palo Alto Networks recommends upgrading to PAN-OS version 8.1.18, 9.0.12, or 9.1.5.
Where can I find more information about CVE-2021-3031?
You can find more information about CVE-2021-3031 on the Palo Alto Networks security advisory page: https://security.paloaltonetworks.com/CVE-2021-3031
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/paloaltonetworks
- canonical/paloaltonetworks pan-os
- version/paloaltonetworks pan-os/8.1.0
- version/paloaltonetworks pan-os/9.0.0
- version/paloaltonetworks pan-os/9.1.0
- canonical/paloaltonetworks pa-200
- canonical/paloaltonetworks pa-2020
- canonical/paloaltonetworks pa-2050
- canonical/paloaltonetworks pa-220
- canonical/paloaltonetworks pa-3020
- canonical/paloaltonetworks pa-3050
- canonical/paloaltonetworks pa-3060
- canonical/paloaltonetworks pa-3220
- canonical/paloaltonetworks pa-3250
- canonical/paloaltonetworks pa-3260
- canonical/paloaltonetworks pa-500
- canonical/paloaltonetworks pa-5200
- canonical/paloaltonetworks pa-800