topic Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site in General Topics

PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

ericgearhart — Fri, 06 Dec 2013 15:04:25 GMT

I just stumbled on this security advisory while I was googling something totally unrelated...

http://packetstormsecurity.com/files/124184/panp-xssxsrf.txt

"These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:

57343—Fixed an issue that caused improper handling of imported certificates that contained HTML."

Also I think this vulnerability isn't even listed here, on PA's Security Advisories page:

Palo Alto Networks Product Vulnerability - Security Advisories

This is the actual vulnerability:

"A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.

Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface. Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example. "

Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

ericgearhart — Mon, 06 Jan 2014 03:07:48 GMT

One month later, still nothing about this on https://securityadvisories.paloaltonetworks.com/.....

Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

indup089 — Thu, 09 Jan 2014 21:56:44 GMT

I also opened a TAC case for this, answer from there is that the information is not yet published in the security advisories because the fix for PANOS 4.1.x is not available until now.....discussible argumentation...

Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

ericgearhart — Thu, 09 Jan 2014 22:05:54 GMT

That's not an acceptable answer to me! When I can find the vulnerability on Palo Alto Networks PanOS 5.0.8 XSS / CSRF ≈ Packet Storm Packet Storm's site, it's out there for the public! At least let customers know there's a vulnerability

Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

mikand — Tue, 21 Jan 2014 09:03:58 GMT

I have tried to file the above as a report towards PSIRT, lets see how long it will take for them to reply...

Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

mikand — Wed, 22 Jan 2014 22:35:52 GMT

Just wanted to update that I got an explanation from PSIRT and even if I dont fully agree with them I do understand their point of view.

In short: an advisory will show up as soon as there is a fix available for all current PANOS versions.

Re: PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

ericgearhart — Thu, 23 Jan 2014 00:17:17 GMT

Thanks for dilligently chasing this down mikand