CVE-2021-3059 - clarity on disabling dynamic updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2021-3059 - clarity on disabling dynamic updates

L1 Bithead

The Security Advisory for CVE-2021-3059  suggests disabling dynamic updates as a workaround for the vulnerability.  However, it specifically says to go to the Device Deployment > Dynamic Updates interface (which is in the Panorama tab of my deployment).

 

How is that different than if you have schedules set under the Device Tab > Dynamic Updates?

 

Additionally, is it OK to manually download and install app/threat, av, and wildfire updates?

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

@BSwientoniowski,

If your running Panorama you would want to do it in both locations for full mediation. Device Deployment > Dynamic Updates is simply using Panorama to deploy the dynamic updates to your firewalls, where's Device Tab > Dynamic Updates is having Panorama (or just a standalone firewall) reach out to PANs update network to grab the updates.

 

As for the manual installation, assuming that you aren't concerned about MITM within your own network, this should be fine from what they've published. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

So this is only my opinion, however I say keep the dynamic updates on. The risk is very low even according to the article. An attacker would have to play man in the middle with PAN's certificates and DNS resolution to pull this off. I would say the risk is higher if you disable the dynamic updates. However yes you can do them manually.

 

Regards,

Cyber Elite
Cyber Elite

@BSwientoniowski,

If your running Panorama you would want to do it in both locations for full mediation. Device Deployment > Dynamic Updates is simply using Panorama to deploy the dynamic updates to your firewalls, where's Device Tab > Dynamic Updates is having Panorama (or just a standalone firewall) reach out to PANs update network to grab the updates.

 

As for the manual installation, assuming that you aren't concerned about MITM within your own network, this should be fine from what they've published. 

Cyber Elite
Cyber Elite

I fully agree with @BPry  and @OtakarKlier ,

 

I was surprise that the advisory is not mentioning the "verify update server identity" as possible workaround...

How will you perform MITM if firewall accept only publicy trusted CAs, it is hard to imagine that attacker will be able to get public CA sign his forget certificate...

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!