02-27-2018 02:49 AM
Hello friends,
I have some signatures with fortigate names and I neet to know the equivalence in Palo Alto, by the CVE Palo Alto dont indentify it, could anyone help me?
web_app3: Narcissus.Image.Configuration.Remote.Command.Execution
CVE-2015-1579 CVE-2014-9734
applications3: Ektron.XSLT.Transform.Remote.Code.Execution
CVE-2012-5357
applications3: OpenVAS.Web.Scanner
Thankss
02-27-2018 07:41 AM
In short: yes
The longer version is: To ensure we are able to scan traffic quickly it is efficient to kjeep the threat database small in size: To be able to provide the best possible coverage we investigate which signatures are active 'in the wild', which ones are dangerous and which ones are still relevant
If a vulnerability is widely patched, it is safe to assume the threat level becomes lower, and if the signature is not picked up in the wild much any more, that means the signature has become obsolete and it is safe to dselete from the repository,, thus ensuring only the important signatures are used to scan your traffic
02-27-2018 03:09 AM
Are these CVE still active in the wild?
If CVE's are no longer active in the wild, or have long been patched, they are removed from the PANW threat vault to make way for more current signatures
02-27-2018 06:17 AM
All of these CVEs you've identified, as @reaper made note to, have been addressed by software updates for a while. If you are still running software that this actually covers I would HIGHLY recommend that you update them to something current.
Ektron has been packed for literally years, the first two threats that you mention are only on select themes and only two of the affected themes are under active developement with patched versions.
I would say that this is mostly a 'non-issue' for the most part. You shouldn't actually need these signatures anymore.
02-27-2018 07:14 AM
Sorry but, If I understood:
This CVEs were active for a while but Palo Alto erase it from its signatures because with updating the host application made it-self non exploitable by this methods?
Thanks and regards.
02-27-2018 07:41 AM
In short: yes
The longer version is: To ensure we are able to scan traffic quickly it is efficient to kjeep the threat database small in size: To be able to provide the best possible coverage we investigate which signatures are active 'in the wild', which ones are dangerous and which ones are still relevant
If a vulnerability is widely patched, it is safe to assume the threat level becomes lower, and if the signature is not picked up in the wild much any more, that means the signature has become obsolete and it is safe to dselete from the repository,, thus ensuring only the important signatures are used to scan your traffic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
