topic Re: How to enable signature of Unique threat id in Advanced Threat Prevention Discussions

How to enable signature of Unique threat id

FarhanKoujalgi — Wed, 01 Sep 2021 17:09:17 GMT

Hello guys hope you doing well I had one question this vulnerability is resolved in the unstable version of PANOS as I see we want to enable the Unique id signature because the affected version is 9.1.4 and 10.0.0 so what should I do to enable this unique threat id. what will be the impact to end users, If we go ahead with the workaround

CVE-2021-3050 PAN-OS: OS Command Injection Vulnerability in Web Interface

Description

An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to execute arbitrary OS commands to escalate privileges.

Solution:

We intend to fix this issue in PAN-OS 9.0.15 (ETA November 2021), PAN-OS 9.1.11 (ETA September 2021), PAN-OS 10.0.8 (ETA September 2021), PAN-OS 10.1.2 (ETA September 2021) and all later PAN-OS versions.

Workarounds and Mitigations:

Enable signatures for Unique Threat ID 91439 on traffic destined for the web interface to block attacks against CVE-2021-3050

Re: How to enable signature of Unique threat id

mivaldi — Wed, 01 Sep 2021 17:50:41 GMT

You can mitigate this vulnerability by having traffic that routes to the management interface be scanned by a Vulnerability Protection profile which should be set to reset-both on High severity vulnerabilities. Since the firewall does not run IPS on the traffic destined to the management *port*, the recommendation implies that you would either force management traffic through the firewall, or migrate the WebUI management of the device to a data port for in-band management (where the Vulnerability Protection profile can scan the traffic) using an interface management profile, and/or, mitigate risk by restricting access to the management port. This is covered in our documentation at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html

Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to:

1) Create a Layer 3 interface in a spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an intrazone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port.

or,

2) Create a vWire on two data ports, connect one port of the vWire to the management port and another to your management network switch. Define a security policy for the vWire with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires two spare data ports. The advantage in this scenario is that it provides true management isolation and that for any required services that do not honor Service Routes, traffic will continue to source from the Management port.

By the way, 10.1.2 and 9.1.11 have already released.

Re: How to enable signature of Unique threat id

FarhanKoujalgi — Fri, 03 Sep 2021 06:14:49 GMT

Is there any docs where we can enable the Unique Threat ID on the firewall or we should check the vulnerability severity is apply on the management port interface and 10.1.2 or 9.1.11 are not stable yet and also should this issue is not resolved in stable version 9.1.10 and 10.0.6.