CVE-2021-3048 - OpenCVE

Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Paloaltonetworks	Pan-os

Configuration 1 [-]

OR	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::
	cpe:2.3:o:paloaltonetworks:pan-os::::::::

References

Link	Resource
https://security.paloaltonetworks.com/CVE-2020-3048	Broken Link
https://security.paloaltonetworks.com/CVE-2021-3048	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: palo_alto

Published: 2021-08-11T00:00:00

Updated: 2021-08-11T17:10:19

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-3048

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-08-11T17:15:07.593

Modified: 2021-08-19T20:05:29.643

Link: CVE-2021-3048

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "10.1.*"}, {"status": "unaffected", "version": "8.1.*"}, {"changes": [{"at": "9.0.14", "status": "unaffected"}], "lessThan": "9.0.14", "status": "affected", "version": "9.0", "versionType": "custom"}, {"changes": [{"at": "9.1.9", "status": "unaffected"}], "lessThan": "9.1.9", "status": "affected", "version": "9.1", "versionType": "custom"}, {"changes": [{"at": "10.0.5", "status": "unaffected"}], "lessThan": "10.0.5", "status": "affected", "version": "10.0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "value": "This issue is applicable only if an External Dynamic List (EDL) is configured on the firewall.\nAn EDL that contains only domain names or IP addresses will not cause this issue."}], "credits": [{"lang": "en", "value": "This issue was encountered by some customers of Palo Alto Networks during regular operation."}], "datePublic": "2021-08-11T00:00:00", "descriptions": [{"lang": "en", "value": "Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-11T17:10:19", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2020-3048"}], "solutions": [{"lang": "en", "value": "This issue is fixed in PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.5, and all later PAN-OS versions.\n\nIf a firewall encounters this problem, you will require TAC assistance to make the firewall operational again."}], "source": {"defect": ["PAN-160455"], "discovery": "USER"}, "timeline": [{"lang": "en", "time": "2021-08-11T00:00:00", "value": "Initial publication"}], "title": "PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage", "workarounds": [{"lang": "en", "value": "You can prevent this issue by removing all invalid URL entries from source EDLs or removing the EDL from your configuration.\n\nAdditionally, do not configure EDLs from websites that you do not trust."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2021-08-11T16:00:00.000Z", "ID": "CVE-2021-3048", "STATE": "PUBLIC", "TITLE": "PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PAN-OS", "version": {"version_data": [{"version_affected": "<", "version_name": "9.0", "version_value": "9.0.14"}, {"version_affected": "<", "version_name": "9.1", "version_value": "9.1.9"}, {"version_affected": "<", "version_name": "10.0", "version_value": "10.0.5"}, {"version_affected": "!>=", "version_name": "9.0", "version_value": "9.0.14"}, {"version_affected": "!>=", "version_name": "9.1", "version_value": "9.1.9"}, {"version_affected": "!>=", "version_name": "10.0", "version_value": "10.0.5"}, {"version_affected": "!", "version_name": "10.1", "version_value": "10.1.*"}, {"version_affected": "!", "version_name": "8.1", "version_value": "8.1.*"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "configuration": [{"lang": "en", "value": "This issue is applicable only if an External Dynamic List (EDL) is configured on the firewall.\nAn EDL that contains only domain names or IP addresses will not cause this issue."}], "credit": [{"lang": "eng", "value": "This issue was encountered by some customers of Palo Alto Networks during regular operation."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2020-3048", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2020-3048"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.5, and all later PAN-OS versions.\n\nIf a firewall encounters this problem, you will require TAC assistance to make the firewall operational again."}], "source": {"defect": ["PAN-160455"], "discovery": "USER"}, "timeline": [{"lang": "en", "time": "2021-08-11T00:00:00", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "You can prevent this issue by removing all invalid URL entries from source EDLs or removing the EDL from your configuration.\n\nAdditionally, do not configure EDLs from websites that you do not trust."}], "x_advisoryEoL": false, "x_affectedList": ["PAN-OS 10.0.4", "PAN-OS 10.0.3", "PAN-OS 10.0.2", "PAN-OS 10.0.1", "PAN-OS 10.0.0", "PAN-OS 10.0", "PAN-OS 9.1.8", "PAN-OS 9.1.7", "PAN-OS 9.1.6", "PAN-OS 9.1.5", "PAN-OS 9.1.4", "PAN-OS 9.1.3-h1", "PAN-OS 9.1.3", "PAN-OS 9.1.2-h1", "PAN-OS 9.1.2", "PAN-OS 9.1.1", "PAN-OS 9.1.0-h3", "PAN-OS 9.1.0-h2", "PAN-OS 9.1.0-h1", "PAN-OS 9.1.0", "PAN-OS 9.1", "PAN-OS 9.0.13", "PAN-OS 9.0.12", "PAN-OS 9.0.11", "PAN-OS 9.0.10", "PAN-OS 9.0.9-h1", "PAN-OS 9.0.9", "PAN-OS 9.0.8", "PAN-OS 9.0.7", "PAN-OS 9.0.6", "PAN-OS 9.0.5", "PAN-OS 9.0.4", "PAN-OS 9.0.3-h3", "PAN-OS 9.0.3-h2", "PAN-OS 9.0.3-h1", "PAN-OS 9.0.3", "PAN-OS 9.0.2-h4", "PAN-OS 9.0.2-h3", "PAN-OS 9.0.2-h2", "PAN-OS 9.0.2-h1", "PAN-OS 9.0.2", "PAN-OS 9.0.1", "PAN-OS 9.0.0", "PAN-OS 9.0"], "x_likelyAffectedList": ["PAN-OS 8.0.20", "PAN-OS 8.0.19-h1", "PAN-OS 8.0.19", "PAN-OS 8.0.18", "PAN-OS 8.0.17", "PAN-OS 8.0.16", "PAN-OS 8.0.15", "PAN-OS 8.0.14", "PAN-OS 8.0.13", "PAN-OS 8.0.12", "PAN-OS 8.0.11-h1", "PAN-OS 8.0.10", "PAN-OS 8.0.9", "PAN-OS 8.0.8", "PAN-OS 8.0.7", "PAN-OS 8.0.6-h3", "PAN-OS 8.0.6-h2", "PAN-OS 8.0.6-h1", "PAN-OS 8.0.6", "PAN-OS 8.0.5", "PAN-OS 8.0.4", "PAN-OS 8.0.3-h4", "PAN-OS 8.0.3-h3", "PAN-OS 8.0.3-h2", "PAN-OS 8.0.3-h1", "PAN-OS 8.0.3", "PAN-OS 8.0.2", "PAN-OS 8.0.1", "PAN-OS 8.0.0", "PAN-OS 8.0", "PAN-OS 7.1.26", "PAN-OS 7.1.25", "PAN-OS 7.1.24-h1", "PAN-OS 7.1.24", "PAN-OS 7.1.23", "PAN-OS 7.1.22", "PAN-OS 7.1.21", "PAN-OS 7.1.20", "PAN-OS 7.1.19", "PAN-OS 7.1.18", "PAN-OS 7.1.17", "PAN-OS 7.1.16", "PAN-OS 7.1.15", "PAN-OS 7.1.14", "PAN-OS 7.1.13", "PAN-OS 7.1.12", "PAN-OS 7.1.11", "PAN-OS 7.1.10", "PAN-OS 7.1.9-h4", "PAN-OS 7.1.9-h3", "PAN-OS 7.1.9-h2", "PAN-OS 7.1.9-h1", "PAN-OS 7.1.9", "PAN-OS 7.1.8", "PAN-OS 7.1.7", "PAN-OS 7.1.6", "PAN-OS 7.1.5", "PAN-OS 7.1.4-h2", "PAN-OS 7.1.4-h1", "PAN-OS 7.1.4", "PAN-OS 7.1.3", "PAN-OS 7.1.2", "PAN-OS 7.1.1", "PAN-OS 7.1.0", "PAN-OS 7.1"]}}}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2021-3048", "datePublished": "2021-08-11T00:00:00", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2021-08-11T17:10:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9EE274A-3AF1-4204-B43D-1EA54C6442CC", "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "5075D342-EE42-4659-BD55-2D9FE7496C34", "versionEndExcluding": "9.1.9", "versionStartIncluding": "9.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E92DFB1-AD67-4FF8-9722-200630EA490A", "versionEndExcluding": "10.0.5", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted."}, {"lang": "es", "value": "Determinadas entradas de URL no v\u00e1lidas contenidas en una lista din\u00e1mica externa (EDL) hacen que el demonio del servidor de dispositivos (devsrvr) deje de responder. Esta situaci\u00f3n causa que fallen las confirmaciones posteriores en el firewalls e impide a los administradores llevar a cabo confirmaciones y cambios de configuraci\u00f3n, aunque el firewalls siga siendo funcional. Si el firewalls se reinicia, se produce una condici\u00f3n de denegaci\u00f3n de servicio (DoS) y el firewalls deja de procesar el tr\u00e1fico. Este problema afecta a: PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.9; PAN-OS versiones 10.0 anteriores a PAN-OS 10.0.5. Versiones PAN-OS 8.1 y PAN-OS 10.1 no est\u00e1n afectadas"}], "id": "CVE-2021-3048", "lastModified": "2021-08-19T20:05:29.643", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}, "published": "2021-08-11T17:15:07.593", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Broken Link"], "url": "https://security.paloaltonetworks.com/CVE-2020-3048"}, {"source": "nvd@nist.gov", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3048"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}