This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Is Palo vulnerable to the shell shock Linux bug?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is Palo vulnerable to the shell shock Linux bug?

Smi12
L2 Linker

‎09-25-2014 05:12 AM

Is Palo vulnerable to the shell shock Linux bug?

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

0 Likes Likes
15 REPLIES 15

panos
L6 Presenter

‎09-25-2014 05:35 AM

I also wonder if it is or not

There are some fixes and tests on the web for linux and macos but we don't have root access to test Smiley Happy

0 Likes Likes

mrsoldner
L0 Member
In response to panos

‎09-25-2014 05:38 AM

I believe the latest emergency content update addresses this:

Application and Threat Content Release Notes

Version 457

Notes: Earlier today, Wednesday, September 24th, Palo Alto Networks became aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability is CVE-2014-6271 and allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650

To address this vulnerability, Palo Alto Networks has released an emergency content update that provides detection of attempted exploitation of CVE-2014-6271 with IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with Critical severity and default action of "Alert." Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. If you have any questions about coverage for this advisory, please contact Support.

New Vulnerability Signatures (1)

SeverityIDAttack NameCVE IDVendor IDDefault ActionMinimum PAN-OS Version
critical36729Bash Remote Code Execution VulnerabilityCVE-2014-6271alert4.0.0

HULK
L7 Applicator

‎09-25-2014 05:38 AM

Hello Smi12,

Content update 457-2377 with coverage for CVE-2014-6271 Signature ID: 36729 "Bash Remote Code Execution Vulnerability" has been released . Please update the PAN firewall with latest Application and Threat database.


Thanks

0 Likes Likes

HULK
L7 Applicator

‎09-25-2014 05:42 AM

FYI..

emergency-content-release.jpg

Thanks

0 Likes Likes

bdeschut
L4 Transporter
In response to HULK

‎09-25-2014 05:56 AM

Good to know that there is a signature for it, but it doesn't answer the question if the OS itself is vulnerable of not

Kind regards,

Bob

chrisp
L3 Networker
In response to bdeschut

‎09-25-2014 06:18 AM

I agree with bdeschut...What's the story with that?

panos
L6 Presenter
In response to bdeschut

‎09-25-2014 06:20 AM

yes that was the real question I think

Smi12
L2 Linker

‎09-25-2014 07:35 AM

Still trying to work out if the Linux based PAN-OS including that used by Panorama is vulnerable to this also?  any thoughts HULK or  mrsoldner ?

0 Likes Likes

chrisp
L3 Networker
In response to Smi12

‎09-25-2014 07:43 AM

It is...Palo Alto Networks Product Vulnerability - Security Advisories

They have it as a LOW.

0 Likes Likes

dynamicv
L1 Bithead
In response to HULK

‎09-25-2014 07:46 AM

Default Action on the signature is set to alert, which is very strange for something that could potentially be used to create DHCP worms across virtually every non-Windows platform, including smartphones. 

We've installed the update onto all our PANOS boxes, but cannot see ID 36729 nor the CVE number appear in the signatures list. Regardless of that, if I create a rule to match the 36729 ID with block as the action will the device take it?

0 Likes Likes

mrsoldner
L0 Member
In response to dynamicv

‎09-25-2014 08:41 AM 

dynamicv wrote:




Default Action on the signature is set to alert, which is very strange for something that could potentially be used to create DHCP worms across virtually every non-Windows platform, including smartphones. 




We've installed the update onto all our PANOS boxes, but cannot see ID 36729 nor the CVE number appear in the signatures list. Regardless of that, if I create a rule to match the 36729 ID with block as the action will the device take it?

You can make an exception and change the default action.

  1. Go into your Vulnerability Protection Profile
  2. Click "Exceptions"
  3. Check "Show all signatures"
  4. Enter 36729
  5. Change the action to whatever you'd like it to be.
  6. Push policy.
0 Likes Likes

rvandegrift
Not applicable

‎09-25-2014 10:07 AM

PAN-OS includes bash, which means it is likely vulnerable:

test-box> debug cli detail

Environment variables :

(LANG . en_US.UTF-8)

(USER . admin)

(LOGNAME . admin)

(HOME . /opt/pancfg/home/admin)

(PATH . /usr/local/bin:/bin:/usr/bin)

(MAIL . /var/mail/admin)

(SHELL . /bin/bash)

(SSH_CLIENT . 192.0.2.1 57409 22)

(SSH_CONNECTION . 192.0.2.1 57409 192.0.2.2 22)

(SSH_TTY . /dev/pts/0)

(TERM . xterm)

(SSH_AUTH_SOCK . /tmp/ssh-vHZslV9235/agent.9235)

(LESSCHARSET . utf-8)

(PAN_BASE_DIR . /opt/pancfg/mgmt)

Build Target : panos-5000-mp

Build Type   : RELEASE

Total Heap : 7.16 M

Used       : 6.11 M

Nursery    : 0.12 M

0 Likes Likes

Elliot_Wilen
L2 Linker
In response to chrisp

‎09-25-2014 10:46 AM

"Low" vulnerability to PAN-OS is premised on only authenticated users being able to exploit.

But elsewhere I've seen reports that the vulnerability doesn't require authentication to exploit. Based on NVD - Detail it seems PAN-OS could (emphasize could) be vulnerable either through ssh or the web interface.

Also, like dynamicv, I can't see the signature in the update even when I follow mrsoldner's instructions.

EDIT: Some time after the above, I updated PAN-OS from 6.0.4. to 6.0.5, and rebooted the firewall as part of the update. The signature is visible now.

0 Likes Likes

gchandrasekaran
L2 Linker

‎09-26-2014 08:01 PM

Per product management, "The Bash vulnerability currently appears to be a low severity issue due to the fact that only authenticated users could potentially exploit the vulnerability against PAN-OS.  Normal PAN-OS maintenance release updates will provide a fix for the vulnerability."

Also, there is an internal bug open where the bash patch will be applied in the PAN-OS (it is yet to be confirmed in which release will the fix be available and whether it will be backported to the previous releases) Hope this helps.

  • 8743 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks