Security News > 2021 > November > Palo Alto Networks patches 9.8 severity CVE in popular GlobalProtect product
Palo Alto Networks has issued a patch for a CVSS 9.8-rated buffer overflow affecting a VPN component of its widely used firewall software, warning that the flaw allows unauthenticated attackers to execute arbitrary code on unpatched appliances.
"A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges," said the company in an advisory published this week.
"The attacker must have network access to the GlobalProtect interface to exploit this issue."
Such vulns are rapidly picked up on and exploited by ransomware gangs and nation states; Australia's Cyber Security Centre issued a warning today urging sysadmins to "Apply the available update as soon as possible."
If you haven't potentially exposed 1000s of customers once again with networking vulns, step forward... Not so fast, Palo Alto Networks.
Furious Reg reader John complained: "Everybody using Palo Alto Networks' GlobalProtect, who is running only the second newest patch level on the 8.1 train which is still active in the lifecycle, is affected."