topic Re: PANdora's Box in General Topics

PANdora's Box

kenlacrosse — Thu, 23 Jan 2025 22:32:03 GMT

Anyone else seen this article from HackerNews? Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits I'm being told these are all old vulnerabilities and I shouldn't worry my pretty little head about them. We've a couple of new 1410's on order and I'm wondering what, if anything, I need to do to ensure that I really don't need to worry. Thoughts?

Re: PANdora's Box

BPry — Thu, 23 Jan 2025 23:05:38 GMT

@kenlacrosse,

I would wait to see if PAN to actually publishes a security advisory regarding these findings, but the actual report details a lot of where these would stand. I'm personally not a fan of how Eclypsium handled their disclosure with a significant amount of time between today and initial disclosure being the holiday period.

Looking through the vulnerabilities reported none of them at first glance appear to be exploitable by themselves. The vast majority rely on a more complex attack chain where the known exploits have all been patched, or they require physical access to the device to exploit unnoticed.

Looking solely at those that affect the 1410 as an example:

CVE-2020-10713

As PAN noted at the time, you don't regularly have access to modify core system files. This (under normal circumstances) requires that you have access to generate one-time root access via TAC. Vulnerabilities to gain root level access to system files do exist, but they are patched in the latest releases. It's not that there's no impact, but the vulnerability relies on a chain to properly exploit; eclypsium utilized known-vulnerable builds to exploit this issue.

PixieFail

My understanding is that you would need to boot into the PXE environment to exploit this. That would be severely abnormal condition to have your firewall in.

Intel BootGuard
I've personally not seen any confirmation that the leak that exposed these keys actually impacts every Intel product that some claim it does. It very well could actually include Intel keys themselves, but I've never seen direct confirmation that this is the case. I've seen a lot of people parrot the original report without any confirmation one way or the other.

Re: PANdora's Box

Naga_Chaturvedi — Fri, 24 Jan 2025 08:07:35 GMT

Paloalto published regarding PANdora's box.

PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin

Yeah we too ordered a few 1410 models recently

Re: PANdora's Box

OtakarKlier — Mon, 27 Jan 2025 20:18:37 GMT

Hello,

I went down the rabbit hole on this one and here is what I found:

Requires your admin port to be open.
1. If yours is secure in a restricted vlan, you're safe. This was the first requirement
If you're running newer preferred code, you are safe because the access to the remote code execution was via an unpatched unsecured admin interface.

So if you are good on both points, you're safe.

Regards,