https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44307#M32521 <HTML><HEAD></HEAD><BODY><P>Awesome!&nbsp; Thank you for the quick response!&nbsp; You saved me a call to support.&nbsp; <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </P></BODY></HTML> Sat, 15 Nov 2014 06:36:52 GMT RyanF 2014-11-15T06:36:52Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44300#M32514 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>Some bad news ... this time addressed to Windows Systems</P><P><A href="https://technet.microsoft.com/library/security/MS14-066" title="https://technet.microsoft.com/library/security/MS14-066">https://technet.microsoft.com/library/security/MS14-066</A></P><P></P><P>and some news <A href="http://pastebin.com/bsgX01dU" title="http://pastebin.com/bsgX01dU">SChannelShenanigans - Pastebin.com</A></P><P></P><P>At the moment this volnureablity isnt covered by thread prevention. We must wait some time. Probably until tommorow because this is critical volnureability and PA last time very quicly responded to such problems.</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Wed, 12 Nov 2014 20:16:03 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44300#M32514 _slv_ 2014-11-12T20:16:03Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44301#M32515 <HTML><HEAD></HEAD><BODY><P>and finally we got it!</P><P><A href="https://downloads.paloaltonetworks.com/content/content-469-2452.html?__gda__=1415993757_35819be82884cbd93ca96c92b3fd92e2" title="https://downloads.paloaltonetworks.com/content/content-469-2452.html?__gda__=1415993757_35819be82884cbd93ca96c92b3fd92e2">Version 469 Content Release Notes</A></P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Fri, 14 Nov 2014 07:37:02 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44301#M32515 _slv_ 2014-11-14T07:37:02Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44302#M32516 <HTML><HEAD></HEAD><BODY><P>MS14-066 is *not* addressed in PAN Threat Release Version 469.&nbsp; Although it is an emergency release, new filters are added for MS14-064 + MS14-065.&nbsp; <SPAN style="font-size: 10pt; line-height: 1.5em;">MS14-066 is still nowhere to be found.&nbsp; </SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Any idea when is this expected?</SPAN></P><P></P><P>FYI - for folks that are also TippingPoint customers, t<SPAN style="font-size: 10pt; line-height: 1.5em;">his is covered in Digital Vaccine #DV8633, released on November 11, 2014.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">-Matt<BR /></SPAN></P><P></P><P>--</P><P>*********************************************************</P><P>This DV includes coverage for the Microsoft Security</P><P>Bulletins released on November 11, 2014. The</P><P>following table maps TippingPoint filters to the</P><P>Microsoft Bulletins.</P><P></P><P>Bulletin #&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TippingPoint Filter #</P><P>*********************************************************</P><P>MS14-065&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16492*,16552*,16556*,16559*,16561*,16857*,16944*,16954,16955,16956*,16957,16960,16968</P><P>MS14-064&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16926,16946</P><P>MS14-066&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16961</P><P>MS14-069&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16945,16950,16953</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability</SPAN></P><P>&nbsp;&nbsp;&nbsp; Category: Vulnerabilities</P><P>&nbsp;&nbsp;&nbsp; CVE: 2014-6321, </P><P>&nbsp;&nbsp;&nbsp; Description:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp; This filter detects an attempt to exploit a buffer overflow</P><P>&nbsp;&nbsp;&nbsp;&nbsp; vulnerability in Microsoft Secure Channel (SChannel) security</P><P>&nbsp;&nbsp;&nbsp;&nbsp; package.</P><P>&nbsp;&nbsp;&nbsp; Use of RECOMMEND action as category setting will cause this filter to be:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Disabled in default deployments.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Enabled with the "block+notify" action set in aggressive deployments.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Enabled with the "block+notify" action set in hyper-aggressive deployments.</P><P>16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability</P><P>&nbsp;&nbsp;&nbsp; Category: Vulnerabilities</P><P>&nbsp;&nbsp;&nbsp; CVE: 2014-6321, </P><P>&nbsp;&nbsp;&nbsp; Description:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp; This filter detects an attempt to exploit a buffer overflow</P><P>&nbsp;&nbsp;&nbsp;&nbsp; vulnerability in Microsoft Secure Channel (SChannel) security</P><P>&nbsp;&nbsp;&nbsp;&nbsp; package.</P><P>&nbsp;&nbsp;&nbsp; Use of RECOMMEND action as category setting will cause this filter to be:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Disabled in default deployments.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Enabled with the "block+notify" action set in aggressive deployments.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Enabled with the "block+notify" action set in hyper-aggressive deployments.</P></BODY></HTML> Fri, 14 Nov 2014 16:24:48 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44302#M32516 dill 2014-11-14T16:24:48Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44303#M32517 <HTML><HEAD></HEAD><BODY><P>Good news! Finally PANOS has got coverage for MS14-066 on content release 470. Just downloaded and confirmed the release containing the 5 threat ids. Please take a look at the release notes below and update your PANOS firewall to get the coverage.</P><P><A href="https://downloads.paloaltonetworks.com/content/content-470-2459.html?__gda__=1416630577_e3de0996cc297be06ead50fc93cb392d" title="https://downloads.paloaltonetworks.com/content/content-470-2459.html?__gda__=1416630577_e3de0996cc297be06ead50fc93cb392d">Version 470 Content Release Notes</A></P></BODY></HTML> Sat, 15 Nov 2014 04:49:26 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44303#M32517 babebe 2014-11-15T04:49:26Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44304#M32518 <HTML><HEAD></HEAD><BODY><P>FYI..</P><P><IMG alt="app-id-470.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16896_app-id-470.JPG" style="height: 280px; width: 620px;" /></P></BODY></HTML> Sat, 15 Nov 2014 06:02:32 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44304#M32518 HULK 2014-11-15T06:02:32Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44305#M32519 <HTML><HEAD></HEAD><BODY><P>To protect web servers with this threat signature, do we need to have SSL inbound inspection enabled?</P></BODY></HTML> Sat, 15 Nov 2014 06:11:58 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44305#M32519 RyanF 2014-11-15T06:11:58Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44306#M32520 <HTML><HEAD></HEAD><BODY><P>Hi RyanF,</P><P></P><P>In SSL inbound decryption, <SPAN style="font-size: 10pt;"><SPAN style="line-height: 1.5em;">PAN device uses server’s certificate and private key to decrypt the traffic between client and server. PAN </SPAN><SPAN style="line-height: 19.5px;">doesn't</SPAN><SPAN style="line-height: 1.5em;"> terminate the TCP connections and </SPAN></SPAN>doesn't<SPAN style="line-height: 1.5em; font-size: 10pt;"> modify packets’ data. Therefore the attack packets will reach the servers intact even if you have SSL inbound decryption. The signature should work with/without the decryption in place by mitigating the attack traffic at it hits the PAN before it reaches the destination servers. I hope that answers your question.</SPAN></P><P></P><P>Regards,</P><P>Bezabih</P></BODY></HTML> Sat, 15 Nov 2014 06:34:11 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44306#M32520 babebe 2014-11-15T06:34:11Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44307#M32521 <HTML><HEAD></HEAD><BODY><P>Awesome!&nbsp; Thank you for the quick response!&nbsp; You saved me a call to support.&nbsp; <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </P></BODY></HTML> Sat, 15 Nov 2014 06:36:52 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-in-schannel-could-allow-remote-code-execution-ms14/m-p/44307#M32521 RyanF 2014-11-15T06:36:52Z