PSIRT Articles

About PSIRT Articles

Welcome. This is the place to come for the latest news from the Product Security Incident Response Team at Palo Alto Networks. Here you will find PSIRT related information and happenings, as well as security advisories published by the PSIRT team.

To receive notifications when new content is published here, click on Options and select Subscribe. You must be signed in to the Live Community in order to subscribe to content.


Featured Article
Background ROBOT [1] is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key.   Exposure SSL Decryption and GlobalProtect are susceptible to this issue. O ur engineers are working on a software fix. We recommend customers running PAN-OS to upgrade to a fixed version of software or use content update 757, and implement further mitigations through the configuration changes described below under “Mitigations”. PAN-OS impacted releases include 6.1.19 and prior, 7.1.14 and prior, 8.0.6-h3 and prior.   Fix and Mitigations Software update PAN-OS 6.1.20 and newer, 7.1.15 and newer,  and 8.0.7 and newer are fixed. Customers exposed to this vulnerability are invited to upgrade to a corrected version of PAN-OS.   Content Update Palo Alto Networks has released content update 757, which includes a vulnerability signature (“TLS Network Security Protocol Information Disclosure Vulnerability – ROBOT”, #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway.   SSL Decryption Mitigation Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA.   GlobalProtect Mitigation If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Eliptic Curve DSA algorithm as a safer alternative. Note: A PAN-OS 7.1 known issue prevents properly formatted ECDSA CSR. As a result, the Global Protect ECDSA certificate  could either be generated: on appliance by temporarily importing the enterprise Certificate Authority in PAN-OS; or on external enterprise PKI system then imported into PAN-OS along with its private key.   See Also PAN-OS Technical Documentation   Critical Issues Addressed In PAN-OS Releases   Best Practices For PAN-OS Upgrade   Reference [1] https://robotattack.org/  
View full article
emoret ‎02-28-2019 08:59 AM
32,370 Views
14 Replies
2 Likes
Coverage for the Meltdown and Spectre vulnerabilities: Traps anti-exploitation mechanisms will not protect against exploiting of these vulnerabilities. The disclosed vulnerabilities are memory read vulnerabilities. They do not cause code execution. For an attacker to use these vulnerabilities, there likely would have been an initial attack phase that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities). For more information on Microsoft’s updates, please see Microsoft Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities Note that these vulnerabilities are memory read vulnerabilities; they do not cause code execution. For an attacker to use these vulnerabilities in an attack, they would have to have already executed a successful initial attack that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities). Compatibility: All the currently supported product lines (3.4, 4.0, and 4.1) were tested running on all the supported Operating System versions and certified to be compatible with the Microsoft Security updates. Note that the tests were performed on both physical and virtual machines. Find more information around Supported Operating Systems and Platforms on our Compatibility Matrix. https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/traps/where-can-i-install-the-traps-agent Microsoft patch: Traps is compatible with the patches Microsoft released to fix CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 vulnerabilities.   Apple patch: Traps is compatible with macOS High Sierra 10.13.2 Supplemental Update including security improvements to Safari and WebKit to mitigate the effects of CVE-2017-5753 and CVE-2017-5715. Installing the Patch: Traps  4.0.5-h1, Traps 4.1.2-h1, and later automatically set the registry key Microsoft requires to be present for their security updates to install successfully. For more information on this registry key, please see Microsoft Knowledge Base Article 4072699.   Customers requiring assistance with the upgrade, or assistance with older versions can reach out to the Palo Alto Networks Support team. Find the Support contact for your region at https://www.paloaltonetworks.com/company/contact-support   Change Log   Friday, Jan. 12, 2018 Post updated to include the note at the bottom of the article regarding a forthcoming update. Tuesday, Jan. 23, 2018 Updated with information about the new releases that allow Windows to install the patches automatically. Friday, Jan. 26, 2018 Updated to clarify information around the Microsoft Windows registry key.
View full article
JacqTo ‎01-26-2018 11:41 PM
15,065 Views
6 Replies
8 Likes