topic Re: PANOS 10.0.6 in General Topics

PANOS 10.0.6

FarhanKoujalgi — Wed, 11 Aug 2021 13:09:13 GMT

Hello, team One of my client want to know the stable version of PANOS there current one is 9.1.5 I suggested them with min apps threat Global protect user-id version and suggest the PANOS 10.0.6 After that the client send me the issue below. The PANOS 10.0.7 is under Monitoring please let me if there is any solution for this. PAN-154433 issue id

PA-820 HA.

Priority 1

Impact

Loss of Availability
Loss of Confidentiality
Loss of Integrity

Description

Palo Alto Networks PAN-OS contains an overflow condition related to the useridd process that is triggered as certain input is not properly validated. This may allow an attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

Palo Alto Networks PAN-OS contains a flaw in the GTP-U that is triggered as the firewall cannot properly detect end-user IP address spoofing when using an IPv6 address. This may allow a remote attacker to bypass firewall protection mechanisms.

Affected Versions

Palo Alto Networks -> PAN-OS -> 10.0.6

Fixed Versions

Palo Alto Networks -> PAN-OS -> 10.0.7

Solution

Update to a fixed version.

Reference

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-addressed-issues/pan-os-10-0-7-addressed-issues.html#panos-addressed-issues-10.0.7

Re: PANOS 10.0.6

SebRupik — Wed, 11 Aug 2021 11:57:15 GMT

Hi there,

Are there any features that you require in your deployment that are only available in the 10.0.x release? If not, then you are probably better off using the preferred 9.1.10 release.

If there are features that require moving to the 10.0.x release, the next question is are you supporting IPv6? If not, then you have a valid mitigation for this vulnerability.

cheers,

Seb.

Re: PANOS 10.0.6

Remo — Wed, 11 Aug 2021 12:51:18 GMT

@SebRupik is absolutely right. If you do not need any features from 10.0 then I recommend to wait at least until x.y.8 or even x.y.9 release. Prior to that I normally don't even consider upgrading to the next version. I had too many problems in the past when I upgraded production firewalls prior to these minor versions. Of course it always depends on which features you use but in general the risk of hitting a bug isn't worth it unless you really need a new feature.

(If you have a lab environment where you can test everything - and I really mean everything with not only 1 or 2 users, then you should be able to reduce the risk of problems)

Re: PANOS 10.0.6

FarhanKoujalgi — Wed, 11 Aug 2021 13:27:53 GMT

Thankyou@Sebrupik

what about

It is based on when the User id agent is Configured right?

Re: PANOS 10.0.6

SebRupik — Wed, 11 Aug 2021 13:57:05 GMT

Is that text from the same PANOS Issue ID (154433) ? From the summary it sounds as if the user-id agent has not been enabled on the firewall you have nothing to worry about.

cheers,

Seb.

Re: PANOS 10.0.6

FarhanKoujalgi — Wed, 11 Aug 2021 14:08:14 GMT

PAN-158372

Fixed a buffer overflow issue related to the user id process.

No, this text is from another PANOS issue id

So for this issue, if the user -id agent has not been enabled on the firewall we have nothing to worry about right?

Re: PANOS 10.0.6

SebRupik — Wed, 11 Aug 2021 14:14:28 GMT

Exactly, most of the unresolved issues on a release can be mitigated by the fact a particular feature is not part of the running config.

cheers,

Seb.