This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA's security advisory stance needs fixing. PANOS less that 5.0.9 contains XSRF and I just happened to stumble on this, on an unrelated site

ericgearhart
L4 Transporter

‎12-06-2013 07:04 AM

I just stumbled on this security advisory while I was googling something totally unrelated...

http://packetstormsecurity.com/files/124184/panp-xssxsrf.txt

"These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:

57343—Fixed an issue that caused improper handling of imported certificates that contained HTML."

Also I think this vulnerability isn't even listed here, on PA's Security Advisories page:

Palo Alto Networks Product Vulnerability - Security Advisories

This is the actual vulnerability:

"A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.

Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface.

Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example. "

6 REPLIES 6

ericgearhart
L4 Transporter

‎01-05-2014 07:07 PM

One month later, still nothing about this on https://securityadvisories.paloaltonetworks.com/.....

0 Likes Likes

indup089
L2 Linker
In response to ericgearhart

‎01-09-2014 01:56 PM

I also opened a TAC case for this, answer from there is that the information is not yet published in the security advisories because the fix for PANOS 4.1.x is not available until now.....discussible argumentation...

0 Likes Likes

ericgearhart
L4 Transporter
In response to indup089

‎01-09-2014 02:05 PM

That's not an acceptable answer to me! When I can find the vulnerability on Palo Alto Networks PanOS 5.0.8 XSS / CSRF ≈ Packet Storm Packet Storm's site, it's out there for the public! At least let customers know there's a vulnerability

mikand
L6 Presenter
In response to ericgearhart

‎01-21-2014 01:03 AM

I have tried to file the above as a report towards PSIRT, lets see how long it will take for them to reply...

0 Likes Likes

mikand
L6 Presenter
In response to mikand

‎01-22-2014 02:35 PM

Just wanted to update that I got an explanation from PSIRT and even if I dont fully agree with them I do understand their point of view.

In short: an advisory will show up as soon as there is a fix available for all current PANOS versions.

0 Likes Likes

ericgearhart
L4 Transporter
In response to mikand

‎01-22-2014 04:17 PM

Thanks for dilligently chasing this down mikand

0 Likes Likes
  • 3887 Views
  • 6 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks