NSS Labs Report - Mitigation for claimed vulnerabilities?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NSS Labs Report - Mitigation for claimed vulnerabilities?

L4 Transporter

Seriously? | NSS Labs

Could someone elaborate on the section which says:


All PAN-OS devices require a configuration change to detect even the most basic TCP stream segmentation evasions. The “Mismatched overlapping TCP segment” protection in the Zone Protection profile is not enabled by default, which allows attackers to bypass the device completely using TCP stream segmentation with overlapping data evasion techniques. NSS strongly recommends that this protection is always enabled – any PAN customer that has not checked this box is at extreme risk.


I've not come across this and would like to know if it's suggested to enable it?

10 REPLIES 10

L5 Sessionator

Hi NetworkAdmin,

You can find following document to answer some of your question:

Response to Recently Released 2014 NSS Next-Generation Firewall Comparative Analysis - Palo Alto Net...

Thank you.

L0 Member

I had thought about posting that same report in hopes of seeing / hearing other thoughts.

This video was also ... interesting to say the least.

Note:  I understand this appears to be a CheckPoint smear channel, it's still interesting to see the vulnerability.  

Palo Alto Netowrks IPS evasion DEMO - NSS Labs - YouTube

Hello,

I have tried attack which is shown in previously mentioned video (Palo Alto Netowrks IPS evasion DEMO - NSS Labs - YouTube) and it was not successful over PA. It looks like PA (6.0.5, app&threat 459-2387) is blocking all segmented SMB traffic.

smb_seg.png

smb_seb_vuln.png

L2 Linker

ask PA Smiley Happy

L2 Linker

I have to add that all I tried was conficker attack using single "smb_seg" evasion as shown in video which was stopped using signature not normalization. I haven't ran Evader in Automatic Evasions mode for 12 hours as shown in video..

Strangely some messages from and one from me disappeared in this thread.

Hi Lios,

Thanks for inputs. As I said PANW first gathers all fragemetns, IF any fragment is

missing or overlapping than it simply drops all fragments.

Regards,

Hardik Shah

Then I wrote that it looks like PA is blocking ANY fragmented SMB traffic not just with missing or overlapping fragments.

Hi Lion,

That might be true.

Regards,

Hardik Shah

Interesting, why would it block genuine fragments ?

My response (ask PA) is still here..

L2 Linker

L2 Linker

So;  the fixes are not enough ?

  • 6042 Views
  • 10 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!