OpenSSL Heartbleed bug: CVE-2014-0160

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

OpenSSL Heartbleed bug: CVE-2014-0160

L1 Bithead

Hi,

Just wondering if any Palo Alto versions are affected by this bug in OpenSSL?

http://heartbleed.com/

Regards

64 REPLIES 64

Is there any way of ensuring you have the correct one?

I logged to the emergency notification this morning and was unable to download on my firewalls (way to go for your content delivery network, Palo Alto, by the way - just fantastic that you send out an emergency noticew via email and then we can't download it), so I downloaded it from the support portal and installed manually - but I don't know how to tell if I have the correct version installed.

See the official response linked below:

Why was Emergency 429 Content Briefly Pulled?

To my knowledge, the original file was reposted and there were no changes made.

Fair enough. Thanks.

L4 Transporter

I have 429-2164 update installed, and I expected to sow in thread logs entries with ( threatid eq 36416) - but I haven't such entries.

I did some verification test by http://possible.lv/tools/hb/ webpage so in my opinion it should appear in thread logs.

Is it normal behaviour?

Regards

Slawek

Palo Alto has just released threat and content version 430

yes, and I've just applied it and still the same. No entries in threat log for threated 36416 when doing vulnerability tests with all available online tools.

Are you performing SSL inspection? Still trying to work out if this is required to catch this vulnerability with IPS... Depends if it happens inside an establish TLS tunnel or in clear text I suppose?

This does not require to have inbound SSL inspection in place. The vuln is detected during SSL negotiation.

L4 Transporter

I guess the targeted host must have a vulnerable version of openssl installed to trigger one of the four TP signatures. At least I cannot trigger an alert with 430 installed against a non vulnerable host. Makes sense somehow...

Thank you!

Got it all working perfectly now at several locations. I also created a custom rule to block/drop those medium severity signatures in the latest update, this results in the online tests failing too (malformed response) to give clients some extra peace of mind.

Seeing a large number of IPs from China trying to exploit this!

Several days of replacing SSL certificates ahead of me now!

Good luck !

davido140 wrote:

Thank you!

Got it all working perfectly now at several locations. I also created a custom rule to block/drop those medium severity signatures in the latest update, this results in the online tests failing too (malformed response) to give clients some extra peace of mind.

Seeing a large number of IPs from China trying to exploit this!

Several days of replacing SSL certificates ahead of me now!

What parameters did you use to trigger this rule?  I'm not seeing any way to trigger on a threat ID or anything like that.:smileyconfused:

Just used heartbleed in the threat name on the rule in the Vuln' protection profile and set the action to block

This forces traffic to be dropped for the "medium" severity threats related to heartbleed in the 430 update.

Effect from one of the online tests will be a timeout and you'll get an event in the threat log.

The target system MUST be vulnerable to trigger these signatures, if you've already patched it you wont see anything in the logs.

L4 Transporter

I cannot get the 430 update to download it failed

  • 25116 Views
  • 64 replies
  • 5 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!