CVE-2021-3060: OS Command Injection
First published: Wed Nov 10 2021(Updated: )
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Paloaltonetworks Prisma Access | =2.1 | |
| Paloaltonetworks Prisma Access | =2.1 | |
| Paloaltonetworks Pan-os | >=8.1.0<=8.1.20 | |
| Paloaltonetworks Pan-os | >=9.0.0<=9.0.14 | |
| Paloaltonetworks Pan-os | >=9.1.0<=9.1.11 | |
| Paloaltonetworks Pan-os | >=10.0.0<10.0.8 | |
| Paloaltonetworks Pan-os | >=10.1.0<10.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html
- https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html
- https://security.paloaltonetworks.com/CVE-2021-3060
Frequently Asked Questions
What is CVE-2021-3060?
CVE-2021-3060 is an OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software that allows an unauthenticated attacker to execute arbitrary code with root user privileges.
How severe is CVE-2021-3060?
CVE-2021-3060 has a severity level of 8.1, which is considered critical.
Which software versions are affected by CVE-2021-3060?
Paloaltonetworks Prisma Access version 2.1, and Paloaltonetworks Pan-os versions 8.1.0 to 8.1.20, 9.0.0 to 9.0.14, 9.1.0 to 9.1.11, and 10.0.0 to 10.0.8 are affected by CVE-2021-3060.
How can I fix CVE-2021-3060?
To fix CVE-2021-3060, upgrade to a non-vulnerable version of Paloaltonetworks Prisma Access or Paloaltonetworks Pan-os software.
Where can I find more information about CVE-2021-3060?
You can find more information about CVE-2021-3060 on the Palo Alto Networks documentation and security websites.
- collector/nvd-index
- vendor/paloaltonetworks
- canonical/paloaltonetworks prisma access
- version/paloaltonetworks prisma access/2.1
- canonical/paloaltonetworks pan-os
- version/paloaltonetworks pan-os/8.1.0
- version/paloaltonetworks pan-os/8.1.20
- version/paloaltonetworks pan-os/9.0.0
- version/paloaltonetworks pan-os/9.0.14
- version/paloaltonetworks pan-os/9.1.0
- version/paloaltonetworks pan-os/9.1.11
- version/paloaltonetworks pan-os/10.0.0
- version/paloaltonetworks pan-os/10.1.0