PCI Vulnerabilities Report

Reply
L2 Linker

Re: PCI Vulnerabilities Report

Hi,

if we purchase a certificate for the PA from a recognized CA r u sure below issues will b resolved? Pls confirm

1. SSL Certificate - Self-Signed Certificate  port 4443/tcp over SSL

2.OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,Vmware-9986131-Patch)

3.SSL Certificate - Signature Verification Failed Vulnerability   port 443/tcp over SSL

4. SSL Certificate - Self-Signed Certificate

L2 Linker

Re: PCI Vulnerabilities Report

Team pls answer asap

L7 Applicator

Re: PCI Vulnerabilities Report

A purchased certificate from an trusted CA will solve numbers 1, 3, 4.

Number 2 you should as for the CVE number.  I assume you are running a PAN appliance.  So you would then open a support case and request to know what PanOS version fixes this openSSL CVE.  These are only fixed by PanOS upgrades that include the patch for the vulnerability.

Unfortunately, PAN does not make public the PanOS vulnerability database.  There are some posts about specific CVE but generally you need to open a case to get an official answer on when the CVE is patched.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L2 Linker

Re: PCI Vulnerabilities Report

Ok thanks steven.

1 more question: we have upgraded version 6.1.2 on PA and disable SSLV3 point as per PCI.

But now PCI want to enable PA firewall management console on TSL.

is this done after disabling SSLV3?

L7 Applicator

Re: PCI Vulnerabilities Report

I think you are referring to TLS and the POODLE vulnerability.  This is patched in versions higher than 6.1.1 and 6.0.8.

Palo Alto Networks Product Vulnerability - Security Advisories

Detail

Padding-oracle attack on TLS CBC cipher mode (CVE-2014-8730)

PAN-SA-2015-0001 Low PAN-OS 6.1.1 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier
Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L2 Linker

Re: PCI Vulnerabilities Report

Dear Team,

 

How to close below PCI point. Pls help and suggest.

 

OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,
Vmware-9986131-Patch)

L7 Applicator

Re: PCI Vulnerabilities Report

To reliably find this patch in PanOS you really need to get the CVE number from the scanning company.  With this information we can see if it is publicly noted as patched in PanOS.  And if not public you can open a ticket and get engineering to determine which version includes the patch.

 

Steve

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!