Palo High vulnerability issue.

cancel
Showing results for 
Search instead for 
Did you mean: 

Palo High vulnerability issue.

Not applicable

Dear,

the palo's on our public internet are being scanned for vulnerabilities and other open issues. Last week scanning a issue regarding "OpenSSL ASN.1 Parsing Vulnerabilities port 443/tcp over SSL" on the portal website of the Palo for ssl-vpn access was detected and marked high.

The security officer now wants to get this solved in a few days. What can we do about it as shutting down SSL portal is not possible either.

Here the full data from this report.

"

QID: 38224

Category: General remote services

CVE ID: CVE-2003-0543, CVE-2003-0544, CVE-2003-0545, CVE-2005-1730

Vendor Reference: -

Bugtraq ID: 8732

Service Modified: 11/06/2009

User Modified: -

Edited: No

PCI Vuln: Yes

First Detected: 06/05/2012 at 18:01:45 (GMT+0200) Last Detected: 06/05/2012 at 18:01:45 (GMT+0200) Times Detected: 1

SOLUTION:

The OpenSSL Project released OpenSSL versions 0.9.6k and 0.9.7c to address these issues. Any application dynamically linked to OpenSSL

libraries should be restarted after applying fixes. Applications that are statically linked to OpenSSL libraries should be recompiled after upgrading

OpenSSL.

Red Hat released an advisory (RHSA-2003:291-01) to address these issues. Fixes may be applied with the Red Hat Update Agent. Manual fixes are

also listed in the advisory.

OpenPKG released advisory OpenPKG-SA-2003.044 to address these issues. Please see the advisory for details on obtaining and applying fixes.

Apple addressed these issues in MacOS X 10.2.8."

Anyone had the same issue ?

Regards

Geert

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

Hi Geert,

As of PAN-OS 4.0.0, we use OpenSLL 0.9.8p, which is not affected by this vulnerability.  The Qualys scan cannot confirm the vulnerability exists, so it states it just to be thorough.

View solution in original post

8 REPLIES 8

L4 Transporter

+1 to this.

I have an open ticket in regard to this as well.

If you have not opened a ticket with support, please do so it should help with the escalation for resolution

Thanks

James

Couple of clarification questions

What version of PANOS are you running and which VPN/GP client do you have installed - we are running 4.0.11 with NetConnect 1.3.3

Who is you scan provider?  We are using Qualys (I believe)

Thanks

James

L3 Networker

Hi Geert,

As of PAN-OS 4.0.0, we use OpenSLL 0.9.8p, which is not affected by this vulnerability.  The Qualys scan cannot confirm the vulnerability exists, so it states it just to be thorough.

View solution in original post

Hi,

yes we are running 4.0.9 and 4.0.10 ont two different cluster  with both 1.3.3, and yes it is Qualys doing the scans.

So suppose we are safe, as since 4.0.0 the updated openssl is being used.

L1 Bithead

FYI on 4.1.X the OpenSSL version is also OpenSLL 0.9.8

L4 Transporter

Hello,

What version is open SSL Library in PANOS 5.0.x???

Hi.

PANOS have been used for OPEN SSL 0.9.8 and that has not vulnerability of Open SSL issue. But newer OpenSSL issue has got a problem of PAN and you should call and question your local SE and He can provide you proper information for the issue.

I have been always monitoring for you on the PAN community. Smiley Happy

Thanks.

Thanks Roh.

Your monitoring always gives me a scare.

Anyway, I need a detail version. For example, 0.9.8p or 0.9.8za or etc.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!