CVE-2021-3062 Overview
CVE-2021-3062 is an improper access control vulnerability in Palo Alto Networks PAN-OS software that affects VM-Series firewalls deployed on Amazon AWS. The vulnerability enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint. Successful exploitation allows an attacker to perform any operations permitted by the EC2 role assigned to the VM-Series instance in AWS, potentially leading to significant cloud infrastructure compromise.
Critical Impact
Authenticated attackers can access EC2 instance metadata, enabling them to retrieve IAM credentials and perform unauthorized operations within the AWS environment using the permissions granted to the compromised VM-Series firewall's EC2 role.
Affected Products
- PAN-OS 8.1 versions earlier than 8.1.20 (VM-Series firewalls)
- PAN-OS 9.0 versions earlier than 9.0.14 (VM-Series firewalls)
- PAN-OS 9.1 versions earlier than 9.1.11 (VM-Series firewalls)
- PAN-OS 10.0 versions earlier than 10.0.8 (VM-Series firewalls)
- Palo Alto Networks VM-Series Firewall on AWS
Discovery Timeline
- November 10, 2021 - CVE-2021-3062 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-3062
Vulnerability Analysis
This vulnerability stems from improper access control within the GlobalProtect portal and gateway components of PAN-OS. When VM-Series firewalls are deployed on AWS infrastructure, they have access to the EC2 instance metadata service (IMDS) at the link-local address 169.254.169.254. Under normal circumstances, access to this endpoint should be restricted to authorized system processes only.
The flaw allows authenticated users with access to GlobalProtect to proxy requests through the firewall to reach the EC2 metadata endpoint. This is particularly dangerous because the EC2 metadata service exposes sensitive information including temporary IAM credentials associated with the instance's IAM role. These credentials can then be used to perform actions within the AWS environment based on the permissions granted to the role.
Importantly, Prisma Access customers are not impacted by this vulnerability, as their deployment architecture differs from the self-managed VM-Series on AWS.
Root Cause
The root cause is classified under CWE-284 (Improper Access Control). The GlobalProtect component fails to properly validate and restrict outbound connections initiated through authenticated sessions. Specifically, the software does not prevent authenticated users from leveraging their session to access the internal EC2 instance metadata endpoint, which should be accessible only to the firewall's own operating system processes.
Attack Vector
The attack requires network access and authenticated credentials to a GlobalProtect portal or gateway running on an affected VM-Series firewall in AWS. The attacker must first authenticate to GlobalProtect using valid credentials, then craft requests that traverse through the firewall to reach the EC2 metadata service. Once the attacker retrieves the IAM role credentials from the metadata endpoint, they can use these credentials externally to perform AWS API calls with whatever permissions the VM-Series instance's IAM role possesses.
The vulnerability is exploitable over the network and requires low complexity to execute once authentication is achieved. No user interaction is required beyond the initial authenticated session establishment.
Detection Methods for CVE-2021-3062
Indicators of Compromise
- Unusual outbound connections from GlobalProtect sessions to the EC2 metadata endpoint (169.254.169.254)
- Unexpected API calls to AWS services using the VM-Series instance's IAM role credentials from external IP addresses
- Authentication logs showing legitimate users followed by suspicious metadata service access patterns
- CloudTrail logs revealing IAM credential usage from unexpected source locations
Detection Strategies
- Monitor GlobalProtect session logs for requests targeting internal AWS metadata endpoints
- Implement AWS CloudTrail monitoring for API calls made using the VM-Series instance credentials from unexpected source IPs
- Configure AWS GuardDuty to detect anomalous credential usage patterns
- Deploy SentinelOne Singularity Cloud Security to identify suspicious access patterns in AWS environments
Monitoring Recommendations
- Enable detailed logging on GlobalProtect portals and gateways to capture all user session activity
- Configure alerting for any access attempts to the 169.254.169.254 address from authenticated user sessions
- Implement AWS IAM Access Analyzer to continuously monitor for unusual credential activity
- Establish baseline behavior for your VM-Series instances and alert on deviations
How to Mitigate CVE-2021-3062
Immediate Actions Required
- Upgrade affected VM-Series firewalls to the patched PAN-OS versions immediately (8.1.20, 9.0.14, 9.1.11, or 10.0.8 or later)
- Audit AWS IAM roles assigned to VM-Series instances and apply the principle of least privilege
- Review GlobalProtect user access and credentials for any unauthorized activity
- Enable AWS IMDSv2 on VM-Series instances to add an additional layer of protection
Patch Information
Palo Alto Networks has released security patches addressing this vulnerability. Affected organizations should upgrade to the following minimum versions:
- PAN-OS 8.1: Upgrade to version 8.1.20 or later
- PAN-OS 9.0: Upgrade to version 9.0.14 or later
- PAN-OS 9.1: Upgrade to version 9.1.11 or later
- PAN-OS 10.0: Upgrade to version 10.0.8 or later
For detailed patch information, refer to the Palo Alto Networks Security Advisory.
Workarounds
- Configure AWS Instance Metadata Service Version 2 (IMDSv2) which requires session tokens and provides additional protection against SSRF-style attacks
- Restrict IAM role permissions attached to VM-Series instances to the absolute minimum required for operation
- Implement network-level controls to monitor and restrict access to the metadata endpoint from GlobalProtect sessions
- Consider deploying additional network segmentation to limit the blast radius of potential credential compromise
# Enable IMDSv2 on AWS VM-Series instance (requires session token for metadata access)
aws ec2 modify-instance-metadata-options \
--instance-id <your-vm-series-instance-id> \
--http-tokens required \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
