Prisma Access Remediation Plan for CVE-2021-3046
Incident Report for Palo Alto Networks Cloud Services
Identified
This is an update to the status page notification that was sent on August 12, 2021, regarding the Palo Alto Networks Security Advisory for GlobalProtect, CVE-2021-3046. If you have a Mobile Users - GlobalProtect deployment and are running 2.0 Preferred, 2.0 Innovation, or 2.1 Preferred, this notice affects you.

The Prisma Access team has researched this vulnerability. The vulnerability allows one SAML authenticated Prisma Access mobile user to impersonate another user. It is rated medium on the CVSS scale. The vulnerability does not allow any unauthenticated attacker to gain unauthorized access. Palo Alto Networks is not aware of any malicious exploitation of this issue and there are no known exploits known in the public.

This vulnerability has been fixed in the 2.1 Innovation version and will be fixed as a part of the dataplane upgrade for Prisma Access 2.2 Preferred starting September 2021.

If you require immediate remediation, contact your Palo Alto Networks account representative or partner to schedule a dataplane upgrade to Prisma Access 2.1 Innovation; however, be aware that you will require another dataplane upgrade in the September 2021 time frame when Prisma Access 2.2 Preferred is released.
Posted Aug 17, 2021 - 17:18 UTC
Investigating
On August 11th 2020, the Palo Alto Networks Security Team published a CVE that was found externally.

The following CVE could potentially impact a subset of Prisma Access customers that have a Mobile User - GlobalProtect deployment. Customers that do not have a Mobile User - GlobalProtect deployment are not impacted by this CVE.

CVE Name: CVE-2021-3046
Applicable to Prisma Access Versions: 2.0 Preferred, 2.0 Innovation, 2.1 Preferred (2.1 Innovation customers are not impacted)
Severity: Medium
Remediation Timeline: To be Determined

At the moment, Palo Alto Networks is conducting an internal investigation into this event and create a remediation plan. At this time, there is no action required from customers. The CVE is of medium severity and as per service guidelines, Palo Alto Networks will provide an update on the remediation plan by Monday, August 16th, 12 p.m. PST. The next notification will be provided on the status.paloaltonetworks.com page and Palo Alto Networks will send an email notification via Insights.
Posted Aug 12, 2021 - 18:56 UTC
This incident affects: Prisma Access (Americas-Argentina, Americas-Bolivia, Americas-Brazil Central, Americas-Brazil East, Americas-Brazil South, Americas-Canada Central, Americas-Canada East, Americas-Canada West, Americas-Chile, Americas-Colombia, Americas-Costa Rica, Americas-Ecuador, Americas-Mexico Central, Americas-Mexico West, Americas-Panama, Americas-Paraguay, Americas-Peru, Americas-US Central, Americas-US East, Americas-US Northeast, Americas-US Northwest, Americas-US South, Americas-US Southeast, Americas-US Southwest, Americas-US West, Americas-Venezuela, APAC-Australia East, APAC-Australia South, APAC-Australia Southeast, APAC-Bangladesh, APAC-Cambodia, APAC-Hong Kong, APAC-India North, APAC-India South, APAC-India West, APAC-Indonesia, APAC-Japan Central, APAC-Japan South, APAC-Malaysia, APAC-Myanmar, APAC-New Zealand, APAC-Pakistan South, APAC-Pakistan West, APAC-Papua New Guinea, APAC-Philippines, APAC-Singapore, APAC-South Korea, APAC-Taiwan, APAC-Thailand, APAC-Vietnam, EMEA-Andorra, EMEA-Austria, EMEA-Belarus, EMEA-Belgium, EMEA-Bulgaria, EMEA-Croatia, EMEA-Czech Republic, EMEA-Denmark, EMEA-Finland, EMEA-France North, EMEA-France South, EMEA-Germany Central, EMEA-Germany North, EMEA-Germany South, EMEA-Greece, EMEA-Hungary, EMEA-Ireland, EMEA-Italy, EMEA-Liechtenstein, EMEA-Lithuania, EMEA-Luxembourg, EMEA-Moldova, EMEA-Monaco, EMEA-Netherlands Central, EMEA-Netherlands South, EMEA-Norway, EMEA-Poland, EMEA-Portugal, EMEA-Romania, EMEA-Russia Central, EMEA-Russia Northwest, EMEA-Slovakia, EMEA-Slovenia, EMEA-Spain Central, EMEA-Spain East, EMEA-Sweden, EMEA-Switzerland, EMEA-UK, EMEA-Ukraine, EMEA-Uzbekistan, EMEA-Kenya, EMEA-Nigeria, EMEA-South Africa Central, EMEA-South Africa West, EMEA-Egypt, EMEA-Israel, EMEA-Jordan, EMEA-Kuwait, EMEA-Saudi Arabia, EMEA-Turkey, EMEA-United Arab Emirates, Americas-Brazil South (Location on-boarded prior to version 1.4), Americas-Canada East (Location on-boarded prior to version 1.4), Americas-US Central (Location on-boarded prior to version 1.4), Americas-US East (Location on-boarded prior to version 1.4), Americas-US Northwest (Location on-boarded prior to version 1.4), Americas-US West (Location on-boarded prior to version 1.4), APAC-Australia Southeast (Location on-boarded prior to version 1.4), APAC-India West (Location on-boarded prior to version 1.4), APAC-Japan Central (Location on-boarded prior to version 1.4), APAC-Singapore (Location on-boarded prior to version 1.4), APAC-South Korea (Location on-boarded prior to version 1.4), EMEA-France North (Location on-boarded prior to version 1.4), EMEA-Germany Central (Location on-boarded prior to version 1.4), EMEA-Ireland (Location on-boarded prior to version 1.4), EMEA-UK (Location on-boarded prior to version 1.4)).