This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

CVE-2021-3059 - clarity on disabling dynamic updates

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

CVE-2021-3059 - clarity on disabling dynamic updates

Go to solution
BSwientoniowski
L1 Bithead

‎11-10-2021 12:13 PM

The Security Advisory for CVE-2021-3059  suggests disabling dynamic updates as a workaround for the vulnerability.  However, it specifically says to go to the Device Deployment > Dynamic Updates interface (which is in the Panorama tab of my deployment).

 

How is that different than if you have schedules set under the Device Tab > Dynamic Updates?

 

Additionally, is it OK to manually download and install app/threat, av, and wildfire updates?

1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎11-10-2021 09:03 PM

@BSwientoniowski,

If your running Panorama you would want to do it in both locations for full mediation. Device Deployment > Dynamic Updates is simply using Panorama to deploy the dynamic updates to your firewalls, where's Device Tab > Dynamic Updates is having Panorama (or just a standalone firewall) reach out to PANs update network to grab the updates.

 

As for the manual installation, assuming that you aren't concerned about MITM within your own network, this should be fine from what they've published. 

View solution in original post

3 REPLIES 3

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎11-10-2021 02:39 PM

Hello,

So this is only my opinion, however I say keep the dynamic updates on. The risk is very low even according to the article. An attacker would have to play man in the middle with PAN's certificates and DNS resolution to pull this off. I would say the risk is higher if you disable the dynamic updates. However yes you can do them manually.

 

Regards,

Go to solution
BPry
Cyber Elite
Cyber Elite

‎11-10-2021 09:03 PM

@BSwientoniowski,

If your running Panorama you would want to do it in both locations for full mediation. Device Deployment > Dynamic Updates is simply using Panorama to deploy the dynamic updates to your firewalls, where's Device Tab > Dynamic Updates is having Panorama (or just a standalone firewall) reach out to PANs update network to grab the updates.

 

As for the manual installation, assuming that you aren't concerned about MITM within your own network, this should be fine from what they've published. 

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎11-11-2021 07:35 AM

I fully agree with @BPry  and @OtakarKlier ,

 

I was surprise that the advisory is not mentioning the "verify update server identity" as possible workaround...

How will you perform MITM if firewall accept only publicy trusted CAs, it is hard to imagine that attacker will be able to get public CA sign his forget certificate...

 

 

  • 1 accepted solution
  • 2970 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks