topic Re: NSS Labs Report - Mitigation for claimed vulnerabilities? in General Topics

NSS Labs Report - Mitigation for claimed vulnerabilities?

networkadmin — Thu, 02 Oct 2014 17:23:45 GMT

Could someone elaborate on the section which says:

All PAN-OS devices require a configuration change to detect even the most basic TCP stream segmentation evasions. The “Mismatched overlapping TCP segment” protection in the Zone Protection profile is not enabled by default, which allows attackers to bypass the device completely using TCP stream segmentation with overlapping data evasion techniques. NSS strongly recommends that this protection is always enabled – any PAN customer that has not checked this box is at extreme risk.

I've not come across this and would like to know if it's suggested to enable it?

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

ssharma — Thu, 02 Oct 2014 17:32:28 GMT

Hi NetworkAdmin,

You can find following document to answer some of your question:

Response to Recently Released 2014 NSS Next-Generation Firewall Comparative Analysis - Palo Alto Networks BlogPalo Alto …

Thank you.

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

mrsoldner — Fri, 03 Oct 2014 12:56:12 GMT

I had thought about posting that same report in hopes of seeing / hearing other thoughts.

This video was also ... interesting to say the least.

Note: I understand this appears to be a CheckPoint smear channel, it's still interesting to see the vulnerability.

Palo Alto Netowrks IPS evasion DEMO - NSS Labs - YouTube

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

lios — Fri, 03 Oct 2014 13:15:11 GMT

Nothing new (2010):

Advanced evasion techniques - Laboratory demonstration - YouTube

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

lios — Mon, 06 Oct 2014 13:51:27 GMT

Hello,

I have tried attack which is shown in previously mentioned video (Palo Alto Netowrks IPS evasion DEMO - NSS Labs - YouTube) and it was not successful over PA. It looks like PA (6.0.5, app&threat 459-2387) is blocking all segmented SMB traffic.

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

lios — Mon, 06 Oct 2014 14:06:34 GMT

ask PA

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

lios — Tue, 07 Oct 2014 13:54:49 GMT

I have to add that all I tried was conficker attack using single "smb_seg" evasion as shown in video which was stopped using signature not normalization. I haven't ran Evader in Automatic Evasions mode for 12 hours as shown in video..

Strangely some messages from hshah and one from me disappeared in this thread.

Hi Lios,

Thanks for inputs. As I said PANW first gathers all fragemetns, IF any fragment is

missing or overlapping than it simply drops all fragments.

Regards,

Hardik Shah

Then I wrote that it looks like PA is blocking ANY fragmented SMB traffic not just with missing or overlapping fragments.

Hi Lion,

That might be true.

Regards,

Hardik Shah

Interesting, why would it block genuine fragments ?

My response (ask PA) is still here..

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

lios — Tue, 07 Oct 2014 13:55:52 GMT

By the way, new video:

PAN Evasion Bypass take 2 - With PAN Best Practices implemented - YouTube

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

Retired Member — Thu, 09 Oct 2014 13:31:48 GMT

Customer advisory - Palo Alto Networks provides coverage for 2 security evasions

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

lios — Wed, 29 Oct 2014 17:36:46 GMT

Palo Alto Networks IPS Evasion Bypass After NSS Labs Patch 6.0.5h3 - YouTube

Re: NSS Labs Report - Mitigation for claimed vulnerabilities?

Retired Member — Wed, 29 Oct 2014 17:46:19 GMT

So; the fixes are not enough ?