topic Re: CVE-2021-3059 - clarity on disabling dynamic updates in General Topics

CVE-2021-3059 - clarity on disabling dynamic updates

BSwientoniowski — Wed, 10 Nov 2021 20:13:02 GMT

The Security Advisory for CVE-2021-3059 suggests disabling dynamic updates as a workaround for the vulnerability. However, it specifically says to go to the Device Deployment > Dynamic Updates interface (which is in the Panorama tab of my deployment).

How is that different than if you have schedules set under the Device Tab > Dynamic Updates?

Additionally, is it OK to manually download and install app/threat, av, and wildfire updates?

Re: CVE-2021-3059 - clarity on disabling dynamic updates

OtakarKlier — Wed, 10 Nov 2021 22:39:12 GMT

Hello,

So this is only my opinion, however I say keep the dynamic updates on. The risk is very low even according to the article. An attacker would have to play man in the middle with PAN's certificates and DNS resolution to pull this off. I would say the risk is higher if you disable the dynamic updates. However yes you can do them manually.

Regards,

Re: CVE-2021-3059 - clarity on disabling dynamic updates

BPry — Thu, 11 Nov 2021 05:03:49 GMT

@BSwientoniowski,

If your running Panorama you would want to do it in both locations for full mediation. Device Deployment > Dynamic Updates is simply using Panorama to deploy the dynamic updates to your firewalls, where's Device Tab > Dynamic Updates is having Panorama (or just a standalone firewall) reach out to PANs update network to grab the updates.

As for the manual installation, assuming that you aren't concerned about MITM within your own network, this should be fine from what they've published.

Re: CVE-2021-3059 - clarity on disabling dynamic updates

aleksandar.astardzhiev — Thu, 11 Nov 2021 15:35:24 GMT

I fully agree with @BPry and @OtakarKlier ,

I was surprise that the advisory is not mentioning the "verify update server identity" as possible workaround...

How will you perform MITM if firewall accept only publicy trusted CAs, it is hard to imagine that attacker will be able to get public CA sign his forget certificate...