Is Palo vulnerable to the shell shock Linux bug?

Reply
L1 Bithead

Re: Is Palo vulnerable to the shell shock Linux bug?

Default Action on the signature is set to alert, which is very strange for something that could potentially be used to create DHCP worms across virtually every non-Windows platform, including smartphones. 

We've installed the update onto all our PANOS boxes, but cannot see ID 36729 nor the CVE number appear in the signatures list. Regardless of that, if I create a rule to match the 36729 ID with block as the action will the device take it?

L0 Member

Re: Is Palo vulnerable to the shell shock Linux bug?

dynamicv wrote:

Default Action on the signature is set to alert, which is very strange for something that could potentially be used to create DHCP worms across virtually every non-Windows platform, including smartphones.

We've installed the update onto all our PANOS boxes, but cannot see ID 36729 nor the CVE number appear in the signatures list. Regardless of that, if I create a rule to match the 36729 ID with block as the action will the device take it?

You can make an exception and change the default action.

  1. Go into your Vulnerability Protection Profile
  2. Click "Exceptions"
  3. Check "Show all signatures"
  4. Enter 36729
  5. Change the action to whatever you'd like it to be.
  6. Push policy.
Not applicable

Re: Is Palo vulnerable to the shell shock Linux bug?

PAN-OS includes bash, which means it is likely vulnerable:

test-box> debug cli detail

Environment variables :

(LANG . en_US.UTF-8)

(USER . admin)

(LOGNAME . admin)

(HOME . /opt/pancfg/home/admin)

(PATH . /usr/local/bin:/bin:/usr/bin)

(MAIL . /var/mail/admin)

(SHELL . /bin/bash)

(SSH_CLIENT . 192.0.2.1 57409 22)

(SSH_CONNECTION . 192.0.2.1 57409 192.0.2.2 22)

(SSH_TTY . /dev/pts/0)

(TERM . xterm)

(SSH_AUTH_SOCK . /tmp/ssh-vHZslV9235/agent.9235)

(LESSCHARSET . utf-8)

(PAN_BASE_DIR . /opt/pancfg/mgmt)

Build Target : panos-5000-mp

Build Type   : RELEASE

Total Heap : 7.16 M

Used       : 6.11 M

Nursery    : 0.12 M

L2 Linker

Re: Is Palo vulnerable to the shell shock Linux bug?

"Low" vulnerability to PAN-OS is premised on only authenticated users being able to exploit.

But elsewhere I've seen reports that the vulnerability doesn't require authentication to exploit. Based on NVD - Detail it seems PAN-OS could (emphasize could) be vulnerable either through ssh or the web interface.

Also, like dynamicv, I can't see the signature in the update even when I follow mrsoldner's instructions.

EDIT: Some time after the above, I updated PAN-OS from 6.0.4. to 6.0.5, and rebooted the firewall as part of the update. The signature is visible now.

L2 Linker

Re: Is Palo vulnerable to the shell shock Linux bug?

Per product management, "The Bash vulnerability currently appears to be a low severity issue due to the fact that only authenticated users could potentially exploit the vulnerability against PAN-OS.  Normal PAN-OS maintenance release updates will provide a fix for the vulnerability."

Also, there is an internal bug open where the bash patch will be applied in the PAN-OS (it is yet to be confirmed in which release will the fix be available and whether it will be backported to the previous releases) Hope this helps.

Highlighted
L4 Transporter

Re: Is Palo vulnerable to the shell shock Linux bug?

Please note our new release.

Version 458

Notes: Release notes for emergency content release for CVE-2014-6271 update and CVE-2014-7169

Thursday, September 25th, Palo Alto Networks became aware of additional vulnerabilities with the Bash shell utility. The fixes for CVE-2014-6271 were incomplete from Operating System vendors and there is a new vulnerability, CVE-2014-7169, that describes this issue. To address this new vulnerability, Palo Alto Networks is releasing an emergency content update that provides updated detection of both CVE-2014-7169 and the previous CVE-2014-6271 vulnerability with an update to the IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with "Critical" severity and default action of "Alert".

Please don't forget to mark this discussion as answered if we have addressed your concerns. :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!