https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/291142#M650 <P>I would like to know this as well. Will this be something we could implement via a signature update or would it have to be something deeper in the inspection of the TCP/IP stack for things like SYN/URG/FIN flags?</P> Thu, 03 Oct 2019 17:22:37 GMT KevinMedeiros 2019-10-03T17:22:37Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/281518#M625 <P>Is Palo Alto working on signatures/rules for the CVE's listed below ( <A title="ICS Advisory (ICSA-19-211-01)" href="https://www.us-cert.gov/ics/advisories/icsa-19-211-01" target="_self">ICS Advisory (ICSA-19-211-01)</A> )?</P><P>&nbsp;</P><P><SPAN>CVE‐2019‐12255</SPAN></P><P><SPAN>CVE‐2019‐12256</SPAN></P><P><SPAN>CVE‐2019‐12260</SPAN></P><P><SPAN>CVE‐2019‐12257</SPAN></P><P><SPAN>CVE‐2019‐12261</SPAN></P><P><SPAN>CVE‐2019‐12263</SPAN></P><P><SPAN>CVE‐2019‐12258</SPAN></P><P><SPAN>CVE‐2019‐12262</SPAN></P><P><SPAN>CVE‐2019‐12264</SPAN></P><P><SPAN>CVE‐2019‐12259</SPAN></P><P><SPAN>CVE‐2019‐12265</SPAN></P> Wed, 07 Aug 2019 15:01:50 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/281518#M625 matthewroberson 2019-08-07T15:01:50Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/291142#M650 <P>I would like to know this as well. Will this be something we could implement via a signature update or would it have to be something deeper in the inspection of the TCP/IP stack for things like SYN/URG/FIN flags?</P> Thu, 03 Oct 2019 17:22:37 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/291142#M650 KevinMedeiros 2019-10-03T17:22:37Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/293915#M664 <P>I know this thread is couple months old but I'll post a response anyway.&nbsp;</P> <P>&nbsp;</P> <P>There are 6 critical vulnerabilities from the Urgent/11 family.&nbsp;</P> <P>&nbsp;</P> <P><U><STRONG>CVE-2019-12256</STRONG></U></P> <P>A specially crafted IP packet sent to the target can cause a stack overflow in the handling of IP options in the header to possibly cause remote code execution. If you have a device (like our NGFW) that can clear IP options from the IPv4 header for ingress traffic, you can neutralize this exploit. Palo Alto Networks NGFW does not clear IP options by default so you can create a specific zone protection profile that drops relevant IP options and apply to the segment where your vulnerable VxWorks device is connected. "Network tab - Zone Protection Profile - add - Packet based attack protection tab"&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clipboard_image_4.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21882i720B933A808D96DB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="clipboard_image_4.png" alt="clipboard_image_4.png" /></span></P> <P>&nbsp;</P> <P><U><STRONG>CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263</STRONG></U></P> <P>These 4 vulnerabilities all leverage manipulating TCP URG flag/pointer. Palo Alto Networks NGFW clears URG field as the default, out of the box configuration, neutralizing these attacks. This is a global setting however and cannot be applied only to a specific zone. You can run the following command to check your NGFW's current setting: "show running tcp state"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clipboard_image_1.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21879iF22113CC9E17C746/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="clipboard_image_1.png" alt="clipboard_image_1.png" /></span></P> <P>&nbsp;</P> <P>From the web GUI, under the Device tab - TCP Settings.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clipboard_image_2.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21880i6566850F48A4B404/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="clipboard_image_2.png" alt="clipboard_image_2.png" /></span></P> <P>&nbsp;</P> <P><U><STRONG>CVE-2019-12257</STRONG></U></P> <P>Exploiting this vulnerability requires the attacker to send a crafted DHCP server response before the actual DHCP server response gets to the victim host. Configuring security rule from your NGFW to only allow DHCP traffic from your authorized DHCP server can thwart such attacks. This wouldn't obviously work if the attacker was on the same network as the victim host. If such implementation is not feasible due to other devices in the network, consider isolating vulnerable devices to their own network segment/zone(s) to be able to apply the desired FW security rule.&nbsp;</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/68994">@jesseholland</a><BR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/87840">@Eusono</a><BR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77400">@tmcneil</a><BR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113662">@matthewroberson</a><BR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/95071">@KevinMedeiros</a></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 21 Nov 2019 18:52:33 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wind-river-vxworks/m-p/293915#M664 Mark_Baik 2019-11-21T18:52:33Z