topic Re: Is Palo vulnerable to the shell shock Linux bug? in General Topics

Is Palo vulnerable to the shell shock Linux bug?

Smi12 — Thu, 25 Sep 2014 12:12:26 GMT

Is Palo vulnerable to the shell shock Linux bug?

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

Re: Is Palo vulnerable to the shell shock Linux bug?

Retired Member — Thu, 25 Sep 2014 12:35:37 GMT

I also wonder if it is or not

There are some fixes and tests on the web for linux and macos but we don't have root access to test

Re: Is Palo vulnerable to the shell shock Linux bug?

mrsoldner — Thu, 25 Sep 2014 12:38:38 GMT

I believe the latest emergency content update addresses this:

Application and Threat Content Release Notes

Version 457

Notes: Earlier today, Wednesday, September 24th, Palo Alto Networks became aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability is CVE-2014-6271 and allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650

To address this vulnerability, Palo Alto Networks has released an emergency content update that provides detection of attempted exploitation of CVE-2014-6271 with IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with Critical severity and default action of "Alert." Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. If you have any questions about coverage for this advisory, please contact Support.

New Vulnerability Signatures (1)

Severity	ID	Attack Name	CVE ID	Vendor ID	Default Action	Minimum PAN-OS Version
critical	36729	Bash Remote Code Execution Vulnerability	CVE-2014-6271		alert	4.0.0

Re: Is Palo vulnerable to the shell shock Linux bug?

HULK — Thu, 25 Sep 2014 12:38:39 GMT

Hello Smi12,

Content update 457-2377 with coverage for CVE-2014-6271 Signature ID: 36729 "Bash Remote Code Execution Vulnerability" has been released . Please update the PAN firewall with latest Application and Threat database.

Thanks

Re: Is Palo vulnerable to the shell shock Linux bug?

HULK — Thu, 25 Sep 2014 12:42:25 GMT

FYI..

Thanks

Re: Is Palo vulnerable to the shell shock Linux bug?

${userLoginName} — Thu, 25 Sep 2014 12:56:27 GMT

Good to know that there is a signature for it, but it doesn't answer the question if the OS itself is vulnerable of not

Kind regards,

Bob

Re: Is Palo vulnerable to the shell shock Linux bug?

chrisp — Thu, 25 Sep 2014 13:18:12 GMT

I agree with bdeschut...What's the story with that?

Re: Is Palo vulnerable to the shell shock Linux bug?

Retired Member — Thu, 25 Sep 2014 13:20:53 GMT

yes that was the real question I think

Re: Is Palo vulnerable to the shell shock Linux bug?

Smi12 — Thu, 25 Sep 2014 14:35:55 GMT

Still trying to work out if the Linux based PAN-OS including that used by Panorama is vulnerable to this also? any thoughts HULK or mrsoldner ?

Re: Is Palo vulnerable to the shell shock Linux bug?

chrisp — Thu, 25 Sep 2014 14:43:03 GMT

It is...Palo Alto Networks Product Vulnerability - Security Advisories

They have it as a LOW.

Re: Is Palo vulnerable to the shell shock Linux bug?

David_Hulse — Thu, 25 Sep 2014 14:46:24 GMT

Default Action on the signature is set to alert, which is very strange for something that could potentially be used to create DHCP worms across virtually every non-Windows platform, including smartphones.

We've installed the update onto all our PANOS boxes, but cannot see ID 36729 nor the CVE number appear in the signatures list. Regardless of that, if I create a rule to match the 36729 ID with block as the action will the device take it?

Re: Is Palo vulnerable to the shell shock Linux bug?

mrsoldner — Thu, 25 Sep 2014 15:41:55 GMT

dynamicv wrote:

You can make an exception and change the default action.

Go into your Vulnerability Protection Profile
Click "Exceptions"
Check "Show all signatures"
Enter 36729
Change the action to whatever you'd like it to be.
Push policy.

Re: Is Palo vulnerable to the shell shock Linux bug?

rvandegrift — Thu, 25 Sep 2014 17:07:27 GMT

PAN-OS includes bash, which means it is likely vulnerable:

test-box> debug cli detail

Environment variables :

(LANG . en_US.UTF-8)

(USER . admin)

(LOGNAME . admin)

(HOME . /opt/pancfg/home/admin)

(PATH . /usr/local/bin:/bin:/usr/bin)

(MAIL . /var/mail/admin)

(SHELL . /bin/bash)

(SSH_CLIENT . 192.0.2.1 57409 22)

(SSH_CONNECTION . 192.0.2.1 57409 192.0.2.2 22)

(SSH_TTY . /dev/pts/0)

(TERM . xterm)

(SSH_AUTH_SOCK . /tmp/ssh-vHZslV9235/agent.9235)

(LESSCHARSET . utf-8)

(PAN_BASE_DIR . /opt/pancfg/mgmt)

Build Target : panos-5000-mp

Build Type : RELEASE

Total Heap : 7.16 M

Used : 6.11 M

Nursery : 0.12 M

Re: Is Palo vulnerable to the shell shock Linux bug?

Elliot_Wilen — Thu, 25 Sep 2014 17:46:52 GMT

"Low" vulnerability to PAN-OS is premised on only authenticated users being able to exploit.

But elsewhere I've seen reports that the vulnerability doesn't require authentication to exploit. Based on NVD - Detail it seems PAN-OS could (emphasize could) be vulnerable either through ssh or the web interface.

Also, like dynamicv, I can't see the signature in the update even when I follow mrsoldner's instructions.

EDIT: Some time after the above, I updated PAN-OS from 6.0.4. to 6.0.5, and rebooted the firewall as part of the update. The signature is visible now.

Re: Is Palo vulnerable to the shell shock Linux bug?

gchandrasekaran — Sat, 27 Sep 2014 03:01:54 GMT

Per product management, "The Bash vulnerability currently appears to be a low severity issue due to the fact that only authenticated users could potentially exploit the vulnerability against PAN-OS. Normal PAN-OS maintenance release updates will provide a fix for the vulnerability."

Also, there is an internal bug open where the bash patch will be applied in the PAN-OS (it is yet to be confirmed in which release will the fix be available and whether it will be backported to the previous releases) Hope this helps.

Re: Is Palo vulnerable to the shell shock Linux bug?

mmmccorkle — Tue, 30 Sep 2014 22:47:38 GMT

Please note our new release.

Version 458

Notes: Release notes for emergency content release for CVE-2014-6271 update and CVE-2014-7169

Thursday, September 25th, Palo Alto Networks became aware of additional vulnerabilities with the Bash shell utility. The fixes for CVE-2014-6271 were incomplete from Operating System vendors and there is a new vulnerability, CVE-2014-7169, that describes this issue. To address this new vulnerability, Palo Alto Networks is releasing an emergency content update that provides updated detection of both CVE-2014-7169 and the previous CVE-2014-6271 vulnerability with an update to the IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with "Critical" severity and default action of "Alert".

Please don't forget to mark this discussion as answered if we have addressed your concerns.