CVE-2015-0235 Ghost

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

CVE-2015-0235 Ghost

L3 Networker

Just starting a thread for  CVE-2015-0235. Ghost

Anybody see any news from PA on this? I have not.

Cheers

11 REPLIES 11

L7 Applicator

Hello Choff123,

PAN is aware of this vulnerability. This has been notified On Tuesday, January 27th, a Linux Remote Code Execution Vulnerability was discovered in the GetHost function in certain Linux distributions.  This is also known as the "GHOST glib gethostbyname" buffer overflow vulnerability, (CVE-2015-0235).

Our existing signature with TID# 30384 should protect against this vulnerability.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/30384

SMTP EHLO/HELO overlong argument anomaly

Signature ID : 30384

Description: This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user.

Severity high

Category code-execution

Default action alert

CVE CVE-2004-1638

Hope this helps.

Thanks

L3 Networker

L7 Applicator

When looking for information on a specific CVE the best place to start is the threat vault search.

https://threatvault.paloaltonetworks.com/

Once a CVE is covered in a signature they will be listed here.  If they are not listed it is not yet covered.  PA does not normally publish documentation for every CVE.  Those that are high or get a lot of press coverage this this then rate a document like the above.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center


Is the PA itself ok? the PAs run Linux?

choff123 wrote:


Is the PA itself ok? the PAs run Linux?

I have a case open and support are checking with our SE so I don't know if there is an official position yet.

Same story with all our vendors - "watch this space" Smiley Happy

I'll keep watching but I'd be surprised if they were.  This only affects processes that make DNS resolution calls.

Well I get tons of suspicious domain alerts in my inbox, those are resolved from IPs.

On the other hand, there was a patch for this a year or two ago that a lot of distros didn't apply. I would think PA uses a Linux branch in which they apply every security patch no matter what.

For the applicability of a CVE to PanOS itself, I recommend you open a case in support or contact your Sales Engineer.

This is one of what I consider the weaknesses of Palo Alto Networks as a company.  They are as far from transparent as possible about which security issues affects their own PanOS as possible.  Most vendor have a customer login secured listing or database of how the various CVE affect their products, Palo Alto only publishes this information in a spotty fashion and usually in response to someone else pointing out that the issue affects PanOS.

If you need information about PanOS vulnerabilities create a case or work with your Sales Engineer to get the direct information.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Support have come back saying Palo Alto have confirmed PAN-OS is vulnerable.

No other details though.

Have to say I'm pretty disappointed at the lack of anything official from Palo Alto on this one - as a customer I shouldn't have to be the one chasing support to find out if a device we own and pay support on to protect our network is vulnerable or not.

L4 Transporter

Please see official response from Palo Alto Networks on this matter:

The Palo Alto Networks product security team has been working to investigate our exposure and patch options to address CVE-2015-0235, otherwise known as “GHOST”.  This vulnerability has a massive footprint, affecting a commonly used function within glibc that has been around for decades.  As such, countless software and embedded systems are impacted by this vulnerability, ours being no exception. However, at this time we are not aware of any specific remotely exploitable conditions enabled by this vulnerability that affects any of our products.  We are working to develop a patch across all affected software, but we do not yet have an estimate for when a patch will be available.  We will provide more information when an estimate is available.

We will do our best to proactively update all our customers as more information becomes available.


L4 Transporter

Palo Alto Networks Security Advisory Feb, 2015

GHOST: glibc vulnerability (CVE-2015-0235)

Last revised: 02/02/2015


Summary

The open source library “glibc” has been found to contain a recently discovered vulnerability (CVE-2015-0235, commonly referred to as “GHOST”) that has been demonstrated to enable remote code execution in some software. Palo Alto Networks software makes use of the vulnerable library, however there is no known exploitable condition in PAN-OS software enabled by this vulnerability at the time of this advisory. An update to PAN-OS will be made available that addresses CVE-2015-0235 in a regularly scheduled software maintenance update. (Ref # 74443)


Severity: Low

The exploitability of CVE-2015-0235 on vulnerable systems is highly dependent on the architecture and design surrounding use of the vulnerable functions within the system, and exploitable conditions found across various open source software libraries have so far been exceedingly rare. At the time of this advisory, Palo Alto Networks is not aware of any specific remotely exploitable condition enabled by this vulnerability that affects any Palo Alto Networks products.


Products Affected

PAN-OS 6.1.2 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier


Available Updates

A patch for the issue described in this bulletin will be made available in a regularly scheduled maintenance update for each supported release of PAN-OS. This bulletin will be updated as the releases are made available.


Workarounds and Mitigations

N/A


Acknowledgements

N/A

  • 9118 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!