https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-cve-2013-0431/m-p/16959#M12364 <HTML><HEAD></HEAD><BODY><P>I've spend some time on testing vulnerability protection on the PA firewall. The protection engine did a good job, but there is no protection against CVE-2013-0431: Java Applet JMX Remote Code Execution</P><P>I'm running PANOS 5.0.1 and Version Application and Threat ID: 364-1728.</P><P></P><P>You can find the results on my web site (<A href="http://www.accessdenied.be/">www.accessdenied.be</A>) in the document <SPAN style="font-size: 10pt;">Configuring Vulnerability Protection.pdf. Step 0x5</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Can some from Palo Alto check this out ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">regards</SPAN></P><P><SPAN style="font-size: 10pt;">Johan</SPAN></P></BODY></HTML> Sat, 23 Mar 2013 12:20:57 GMT JohanL 2013-03-23T12:20:57Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-cve-2013-0431/m-p/16959#M12364 <HTML><HEAD></HEAD><BODY><P>I've spend some time on testing vulnerability protection on the PA firewall. The protection engine did a good job, but there is no protection against CVE-2013-0431: Java Applet JMX Remote Code Execution</P><P>I'm running PANOS 5.0.1 and Version Application and Threat ID: 364-1728.</P><P></P><P>You can find the results on my web site (<A href="http://www.accessdenied.be/">www.accessdenied.be</A>) in the document <SPAN style="font-size: 10pt;">Configuring Vulnerability Protection.pdf. Step 0x5</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Can some from Palo Alto check this out ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">regards</SPAN></P><P><SPAN style="font-size: 10pt;">Johan</SPAN></P></BODY></HTML> Sat, 23 Mar 2013 12:20:57 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-cve-2013-0431/m-p/16959#M12364 JohanL 2013-03-23T12:20:57Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-cve-2013-0431/m-p/16960#M12365 <HTML><HEAD></HEAD><BODY><P>Great document. A hint would be to add a reference in the end to <A __default_attr="3094" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> for those who wants to read some more.</P><P></P><P>Regarding your JMX case the reverse shell seems to be detected however your IPS settings seems only be to look for specific CVE's (well of course since this is a test for specific CVE's but still).</P><P></P><P>What I wonder is would the reverse shell be identified if you setup a default such as this?</P><P></P><P>Critical: Block</P><P>High: Block</P><P>Medium: Block</P><P>Low: Default</P><P>Informational: Default</P><P></P><P>I mean even if the exploit itself isnt detected then hopefully the result of the exploit like reverse shell etc is detected.</P><P></P><P>Regarding the specific exploit, CVE-2013-0431 it doesnt seem to be covered according to ThreatVault Database: <A href="https://threatvault.paloaltonetworks.com/" title="https://threatvault.paloaltonetworks.com/">https://threatvault.paloaltonetworks.com/</A></P><P></P><P>I guess you would need to notify PA in case your message on this forum isnt enough - like a contact with the support@ or the appid team (which hopefully could redirect your request properly) <A class="active_link" href="http://researchcenter.paloaltonetworks.com/tools/" title="http://researchcenter.paloaltonetworks.com/tools/">http://researchcenter.paloaltonetworks.com/tools/</A></P><P></P><P>Speaking of which... is contacting support@ the proper way to get a response on when new threats will be included or does the ThreatVault team have their own mailaddress suitable for requests?</P></BODY></HTML> Sun, 24 Mar 2013 19:00:55 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-cve-2013-0431/m-p/16960#M12365 mikand 2013-03-24T19:00:55Z