topic Re: PCI Vulnerabilities Report in General Topics

PCI Vulnerabilities Report

Satish — Fri, 27 Mar 2015 08:34:34 GMT

Dear Friends, panos, panagent HULK hshah Steven Puluka hyadavalli mmmccorkle

I have a doubt regarding PCI vulnerabilities scan and enable the signature for the same. when security team scan our WAN interface. he found below

1. SSL Certificate - Self-Signed Certificate

VULNERABILITY DETAILS

CVSS Base Score: 9.4

CVSS Temporal Score: 6.9

Severity: 2

QID: 38169

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 05/25/2009

THREAT:

An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote

server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.

The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Selfsigned

certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or

critical servers.By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server.

IMPACT:By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack.

SOLUTION:Please install a server certificate signed by a trusted third-party Certificate Authority.

RESULT: Certificate #0 emailAddress=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo_Alto_Networks,L=Sunnyvale,ST=CA,C=US is a self signed certificate.

2. SSL Certificate - Signature Verification Failed Vulnerability port 443/tcp over SSL

VULNERABILITY DETAILS

CVSS Base Score: 9.4

CVSS Temporal Score: 6.9

Severity: 2

QID: 38173

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 05/23/2009

3. SSL Certificate - Self-Signed Certificate port 4443/tcp over SSL

VULNERABILITY DETAILS

CVSS Base Score: 9.4

CVSS Temporal Score: 6.9

Severity: 2

QID: 38169

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 05/25/2009

4. OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,Vmware-9986131-Patch)

VULNERABILITY DETAILS

CVSS Base Score: 4.6

CVSS Temporal Score: 3.5

Severity: 3

QID: 115317

Category: Local

CVE ID: CVE-2006-0225

Vendor Reference: OpenSSH, FEDORA-2006-056, Vmware-3069097-Patch, Vmware-9986131-Patch

Bugtraq ID: 16369

Last Update: 06/17/2010

i have checked below reference I Need help for SSLV3 disable but not yet answered. please suggest me for the same. i am using PAN OS 6.1.2

Thanks in advance.

Regards

Satish

Re: PCI Vulnerabilities Report

pulukas — Fri, 27 Mar 2015 12:14:44 GMT

For the certificate, they are asking you to purchase a certificate for the PA from a recognized CA instead of using the device generated certificate.

How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate

For the CVE coverage, you will need to wait for PA to update the PanOS to pass.

Re: PCI Vulnerabilities Report

mmmccorkle — Fri, 27 Mar 2015 14:10:59 GMT

Satish,

The SSLv3 is not disabled for you although you are running 6.1.2?

Thanks

Re: PCI Vulnerabilities Report

Satish — Fri, 27 Mar 2015 16:19:09 GMT

Hi mmm,

After upgrading the PAN OS ssl v3 is disabled but i am facing below issue mention earlier.

Thanks

Re: PCI Vulnerabilities Report

Satish — Fri, 27 Mar 2015 16:19:45 GMT

Thanks Steven for reply let me check.

Re: PCI Vulnerabilities Report

NickySorot — Mon, 06 Apr 2015 10:58:31 GMT

how to disable ssl on paloalto for management console permanently and how to enable firewall management console on TSL.

Re: PCI Vulnerabilities Report

NickySorot — Mon, 06 Apr 2015 11:03:48 GMT

pls help us to close above point. its urgent.

Re: PCI Vulnerabilities Report

NickySorot — Mon, 06 Apr 2015 12:24:12 GMT

Team, pls answer

Re: PCI Vulnerabilities Report

jdelio — Mon, 06 Apr 2015 19:18:50 GMT

OK, I was able to research this further, and SSL V3 option has been removed from the PAN OS 6.0.8 and 6.1.2 onward. Prior to these version, you do not have any option to disable SSL V3 on the firewall, rather, you may disable SSL-V3 on your web browser. Accordingly, the client will not send SSL-v3 during the handshake.

Please let me know if this answers your question or not.

Re: PCI Vulnerabilities Report

NickySorot — Tue, 07 Apr 2015 11:23:37 GMT

what about TSL?

Re: PCI Vulnerabilities Report

NickySorot — Wed, 08 Apr 2015 06:45:05 GMT

Hi,

if we purchase a certificate for the PA from a recognized CA r u sure below issues will b resolved? Pls confirm

1. SSL Certificate - Self-Signed Certificate port 4443/tcp over SSL

2.OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,Vmware-9986131-Patch)

3.SSL Certificate - Signature Verification Failed Vulnerability port 443/tcp over SSL

4. SSL Certificate - Self-Signed Certificate

Re: PCI Vulnerabilities Report

NickySorot — Wed, 08 Apr 2015 09:18:27 GMT

Team pls answer asap

Re: PCI Vulnerabilities Report

pulukas — Wed, 08 Apr 2015 10:06:33 GMT

A purchased certificate from an trusted CA will solve numbers 1, 3, 4.

Number 2 you should as for the CVE number. I assume you are running a PAN appliance. So you would then open a support case and request to know what PanOS version fixes this openSSL CVE. These are only fixed by PanOS upgrades that include the patch for the vulnerability.

Unfortunately, PAN does not make public the PanOS vulnerability database. There are some posts about specific CVE but generally you need to open a case to get an official answer on when the CVE is patched.

Re: PCI Vulnerabilities Report

NickySorot — Wed, 08 Apr 2015 13:35:50 GMT

Ok thanks steven.

1 more question: we have upgraded version 6.1.2 on PA and disable SSLV3 point as per PCI.

But now PCI want to enable PA firewall management console on TSL.

is this done after disabling SSLV3?

Re: PCI Vulnerabilities Report

pulukas — Wed, 08 Apr 2015 20:11:27 GMT

I think you are referring to TLS and the POODLE vulnerability. This is patched in versions higher than 6.1.1 and 6.0.8.

Palo Alto Networks Product Vulnerability - Security Advisories

Padding-oracle attack on TLS CBC cipher mode (CVE-2014-8730)

PAN-SA-2015-0001

Low

PAN-OS 6.1.1 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier

Re: PCI Vulnerabilities Report

NickySorot — Mon, 26 Oct 2015 09:56:35 GMT

Dear Team,

How to close below PCI point. Pls help and suggest.

OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,
Vmware-9986131-Patch)

Re: PCI Vulnerabilities Report

pulukas — Mon, 26 Oct 2015 22:28:09 GMT

To reliably find this patch in PanOS you really need to get the CVE number from the scanning company. With this information we can see if it is publicly noted as patched in PanOS. And if not public you can open a ticket and get engineering to determine which version includes the patch.

Steve