CVE-2021-3060

Name of the Vulnerable Software and Affected Versions PAN-OS versions earlier than 8.1.20-h1 PAN-OS versions earlier than 9.0.14-h3 PAN-OS versions earlier than 9.1.11-h2 PAN-OS versions earlier than 10.0.8 PAN-OS versions earlier than 10.1.3

Description An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue.

Recommendations For PAN-OS 8.1, update to version 8.1.20-h1 or later. For PAN-OS 9.0, update to version 9.0.14-h3 or later. For PAN-OS 9.1, update to version 9.1.11-h2 or later. For PAN-OS 10.0, update to version 10.0.8 or later. For PAN-OS 10.1, update to version 10.1.3 or later. As a temporary workaround, consider restricting access to the GlobalProtect interfaces until a patch is available.