CVE-2015-0235 Ghost

Reply
Highlighted
L3 Networker

CVE-2015-0235 Ghost

Just starting a thread for  CVE-2015-0235. Ghost

Anybody see any news from PA on this? I have not.

Cheers

Highlighted
L7 Applicator

Hello Choff123,

PAN is aware of this vulnerability. This has been notified On Tuesday, January 27th, a Linux Remote Code Execution Vulnerability was discovered in the GetHost function in certain Linux distributions.  This is also known as the "GHOST glib gethostbyname" buffer overflow vulnerability, (CVE-2015-0235).

Our existing signature with TID# 30384 should protect against this vulnerability.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/30384

SMTP EHLO/HELO overlong argument anomaly

Signature ID : 30384

Description: This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user.

Severity high

Category code-execution

Default action alert

CVE CVE-2004-1638

Hope this helps.

Thanks

Highlighted
L3 Networker
Highlighted
L7 Applicator

When looking for information on a specific CVE the best place to start is the threat vault search.

https://threatvault.paloaltonetworks.com/

Once a CVE is covered in a signature they will be listed here.  If they are not listed it is not yet covered.  PA does not normally publish documentation for every CVE.  Those that are high or get a lot of press coverage this this then rate a document like the above.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L3 Networker


Is the PA itself ok? the PAs run Linux?

Highlighted
L4 Transporter

choff123 wrote:


Is the PA itself ok? the PAs run Linux?

I have a case open and support are checking with our SE so I don't know if there is an official position yet.

Same story with all our vendors - "watch this space" :smileyhappy:

Highlighted
L4 Transporter

I'll keep watching but I'd be surprised if they were.  This only affects processes that make DNS resolution calls.

Highlighted
L3 Networker

Well I get tons of suspicious domain alerts in my inbox, those are resolved from IPs.

On the other hand, there was a patch for this a year or two ago that a lot of distros didn't apply. I would think PA uses a Linux branch in which they apply every security patch no matter what.

L7 Applicator

For the applicability of a CVE to PanOS itself, I recommend you open a case in support or contact your Sales Engineer.

This is one of what I consider the weaknesses of Palo Alto Networks as a company.  They are as far from transparent as possible about which security issues affects their own PanOS as possible.  Most vendor have a customer login secured listing or database of how the various CVE affect their products, Palo Alto only publishes this information in a spotty fashion and usually in response to someone else pointing out that the issue affects PanOS.

If you need information about PanOS vulnerabilities create a case or work with your Sales Engineer to get the direct information.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

Support have come back saying Palo Alto have confirmed PAN-OS is vulnerable.

No other details though.

Have to say I'm pretty disappointed at the lack of anything official from Palo Alto on this one - as a customer I shouldn't have to be the one chasing support to find out if a device we own and pay support on to protect our network is vulnerable or not.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!