November 15, 2021

Randori discovered Zero-day in Palo Alto’s GlobalProtect Firewall, affecting ~10,000 assets.


Palo Alto Networks (PAN) released an update on November 10, 2021, that patched CVE-2021-3064, which was discovered and disclosed by Randori. This vulnerability affects PAN firewalls that use the GlobalProtect Portal VPN, and it allows for unauthenticated remote code execution on susceptible product installations. The vulnerability affects all versions of PAN-OS 8.1 prior to 8.1.17, and Randori has discovered over 10,000 vulnerable instances on internet-facing assets.

Disclosure Timeline


Technical Overview

The researchers were able to successfully exploit the following systems that have GlobalProtect enabled and accessible:

Vulnerability & Exploit Details

The CVE-2021-3064 vulnerability is a buffer overflow that occurs while parsing user-supplied information into a fixed-length position on the stack. Without using an HTTP smuggling approach, the troublesome code is not accessible from the outside world. An unauthenticated network-based attacker can disrupt system operations and potentially execute arbitrary code with root privileges by exploiting a memory corruption vulnerability in Palo Alto Networks GlobalProtect portal and gateway interfaces. To exploit this vulnerability, the attacker must have network access to the GlobalProtect interface.

An attacker must have network access to the device on the GlobalProtect service port(default port 443) in order to exploit this issue. This port is frequently accessible over the Internet since the impacted product is a VPN portal. Exploitation is challenging but not impossible on devices that have ASLR enabled. Due to the lack of ASLR on virtualized devices, exploitation is considerably easier.

Mitigation and Patch Information

  1. A patch issued by the PAN should be used.
  2. PAN has also made Threat Prevention signatures 91820 and 91855 accessible for use by organizations to avoid exploitation until a software upgrade is scheduled.
  3. Organizations that do not use the PAN firewall’s VPN features should immediately disable GlobalProtect.


Randori Report –

Palo Alto Networks Security Advisory-

Sign up to receive our monthly Newsletter & Blogs


Recent Resources

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities

Book a demo and find out more about how Hive Pro can double your operational efficiency

Book a Demo