01-27-2015 09:22 PM
Hello Choff123,
PAN is aware of this vulnerability. This has been notified On Tuesday, January 27th, a Linux Remote Code Execution Vulnerability was discovered in the GetHost function in certain Linux distributions. This is also known as the "GHOST glib gethostbyname" buffer overflow vulnerability, (CVE-2015-0235).
Our existing signature with TID# 30384 should protect against this vulnerability.
https://threatvault.paloaltonetworks.com/Home/ThreatDetail/30384
SMTP EHLO/HELO overlong argument anomaly
Signature ID : 30384
Description: This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user.
Severity high
Category code-execution
Default action alert
CVE CVE-2004-1638
Hope this helps.
Thanks
01-27-2015 10:43 PM
Hello. Please see GHOST - Linux Remote Code Execution CVE-2015-0235 0-day vulnerability
01-28-2015 03:34 AM
When looking for information on a specific CVE the best place to start is the threat vault search.
https://threatvault.paloaltonetworks.com/
Once a CVE is covered in a signature they will be listed here. If they are not listed it is not yet covered. PA does not normally publish documentation for every CVE. Those that are high or get a lot of press coverage this this then rate a document like the above.
01-28-2015 08:21 AM
Is the PA itself ok? the PAs run Linux?
01-28-2015 09:16 AM
choff123 wrote:
Is the PA itself ok? the PAs run Linux?
I have a case open and support are checking with our SE so I don't know if there is an official position yet.
Same story with all our vendors - "watch this space" 
01-28-2015 11:23 AM
I'll keep watching but I'd be surprised if they were. This only affects processes that make DNS resolution calls.
01-29-2015 10:22 AM
Well I get tons of suspicious domain alerts in my inbox, those are resolved from IPs.
On the other hand, there was a patch for this a year or two ago that a lot of distros didn't apply. I would think PA uses a Linux branch in which they apply every security patch no matter what.
01-31-2015 05:26 AM
For the applicability of a CVE to PanOS itself, I recommend you open a case in support or contact your Sales Engineer.
This is one of what I consider the weaknesses of Palo Alto Networks as a company. They are as far from transparent as possible about which security issues affects their own PanOS as possible. Most vendor have a customer login secured listing or database of how the various CVE affect their products, Palo Alto only publishes this information in a spotty fashion and usually in response to someone else pointing out that the issue affects PanOS.
If you need information about PanOS vulnerabilities create a case or work with your Sales Engineer to get the direct information.
02-01-2015 04:29 AM
Support have come back saying Palo Alto have confirmed PAN-OS is vulnerable.
No other details though.
Have to say I'm pretty disappointed at the lack of anything official from Palo Alto on this one - as a customer I shouldn't have to be the one chasing support to find out if a device we own and pay support on to protect our network is vulnerable or not.
02-02-2015 11:45 AM
Please see official response from Palo Alto Networks on this matter:
The Palo Alto Networks product security team has been working to investigate our exposure and patch options to address CVE-2015-0235, otherwise known as “GHOST”. This vulnerability has a massive footprint, affecting a commonly used function within glibc that has been around for decades. As such, countless software and embedded systems are impacted by this vulnerability, ours being no exception. However, at this time we are not aware of any specific remotely exploitable conditions enabled by this vulnerability that affects any of our products. We are working to develop a patch across all affected software, but we do not yet have an estimate for when a patch will be available. We will provide more information when an estimate is available.
We will do our best to proactively update all our customers as more information becomes available.
02-02-2015 12:54 PM
Palo Alto Networks Security Advisory Feb, 2015
GHOST: glibc vulnerability (CVE-2015-0235)
Last revised: 02/02/2015
Summary
The open source library “glibc” has been found to contain a recently discovered vulnerability (CVE-2015-0235, commonly referred to as “GHOST”) that has been demonstrated to enable remote code execution in some software. Palo Alto Networks software makes use of the vulnerable library, however there is no known exploitable condition in PAN-OS software enabled by this vulnerability at the time of this advisory. An update to PAN-OS will be made available that addresses CVE-2015-0235 in a regularly scheduled software maintenance update. (Ref # 74443)
Severity: Low
The exploitability of CVE-2015-0235 on vulnerable systems is highly dependent on the architecture and design surrounding use of the vulnerable functions within the system, and exploitable conditions found across various open source software libraries have so far been exceedingly rare. At the time of this advisory, Palo Alto Networks is not aware of any specific remotely exploitable condition enabled by this vulnerability that affects any Palo Alto Networks products.
Products Affected
PAN-OS 6.1.2 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier
Available Updates
A patch for the issue described in this bulletin will be made available in a regularly scheduled maintenance update for each supported release of PAN-OS. This bulletin will be updated as the releases are made available.
Workarounds and Mitigations
N/A
Acknowledgements
N/A
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
