PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

Showing results for 
Search instead for 
Did you mean: 

PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

L6 Presenter

So are there any response available from PAN regarding the topic which you can read below?


Like when are updates scheduled to be released, any mitigations you can perform before updates are available etc?


Or are they already disclosed (and fixed) over at ?


Im thinking of:


Attacking Next-Generation Firewalls: Breaking PAN-OS


MARCH 16, 2016 (AT 11:30 A.M.) IN ATTACK & RESEARCH


"Next-Generation" firewalls provide functionality well beyond the traditional filtering capabilities. They offer deep protocol inspection, application identification, user based filtering, VPN functionality and more.


While this significantly increases the attack surface of these devices, little public research is available. In this talk I will present an in-depth analysis of one of the leading NGFW solutions: Palo Alto’s PAN-OS. Besides describing the overall system architecture, I will discuss and demonstrate several critical vulnerabilities in the different components that can result in a full remote compromise of the appliance. To go beyond 2015 & the pure bashing of security appliances, I’ll also present some positive insights.


All vulnerabilities in this talk were disclosed to the vendor in 2015. The vendor is providing patches. The vulnerabilities will be demonstrated live during the talk, but if there is no patch available by the time of the talk, we will not show exploit code.



Felix is a security researcher working for ERNW GmbH. His main interests are application security, reverse engineering and virtualization security. Felix has disclosed critical vulnerabilities in popular software such as Hyper-V, Xen, Typo3 or IBM GPFS and has presented his work at international conferences like PHDays, Hack in the Box, Infiltrate and Troopers.


Accepted Solutions

Looks like this is the case:


Command Injection in Command Line Interface, PAN-SA-2016-0002


Unauthenticated Command Injection in Management Web Interface, PAN-SA-2016-0003


Unauthenticated Stack Exhaustion in GlobalProtect/SSL VPN Web Interface, PAN-SA-2016-0004


Unauthenticated Buffer Overflow in GlobalProtect/SSL VPN Web Interface, PAN-SA-2016-0005

View solution in original post


Cyber Elite
Cyber Elite



You'll most likely find most relevant information in the Security Advisories or in the release notes. As there are no references to specific vulnerabilities or CVE it's difficult to positively identify what this person is referencing exactly, so it might be best to reach out to your SE if you need an official statement or support if you seek coverage for a specific vulnerability




Tom Piens
PANgurus - (co)managed services and consultancy

@mikand I'm with Tom on this one.  "oh the sky is falling oh the sky is falling."  As this "press release" provides no information what-so-ever it seems more like "Troopers" is just fishing for media time.  If things were really as bad as they're trying to make things out to be why wait?  Why not let the community know?

I did contact the SE for PAN in Sweden but still (after a week) didnt get any reply.


So thats why I turned to the community forum since I know PAN people do hang out here aswell.


I have also contacted this morning (about 12 hours ago) but still no response that way either.


To me it looks like PAN isnt too interrested in responding to this?

I dont see anything wrong with the marketing about this speech (among others) at Troopers.


They usually have good stuff (as do Blackhat, Defcon and CCC).


Not disclosing the vulns before the speech/talk (but also only disclose those who was patched) falls into the ethical hacking code of conduct.


That is you will notify the vendor and give them reasonable amount of time to fix the vulns you have discovered. This way you can make a coordinated release of your material (poc, exploit etc) along with the vendor who now will have patches available for their customers.


In this particular case its mentioned that PAN was notified about these vulns during 2015 and I as a customer would like to know more such as which (minor)version will contain the fixes, when are these versions (assuming 6.0, 6.1, 7.0 and perhaps even 7.1 series are affected and will receive updates for this) expacted to be released and if there exists any mitigations I can apply right now?


For example if it turns out that PAN have similar backdoor to their gear as Juniper and Fortinet already got the mitigation could be to use other devices in order to protect access to mgmt-interfaces, make sure you dont expose mgmt-interfaces (such as SSH) on any dataplane interface etc...

@mikand I get what you're saying but if you look at Black Hat ...


You can at least get a synopsis of what the presenter is going to address, my contention with this sole media play is there is nothing other than "OMG ... PAN haz vulnz"


No kidding...EVERY IT product is going to have it's security vulnerabilities.  We don't know what Palo has done (if anything) to address what Troopers brought to their attention.


If Troopers would have released something even in the ballpark at least WE the "Community" could scour the CVEs for something related to what Troopers says is out there; but they didn't do that.  So now we're left with baited breath needing to pay for this first hand knowledge.










"These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unfettered access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more. In this session, Lacoon researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victims device. We'll explain why these vulnerabilities are a serious problem that in some ways can't be completely eliminated, show how attackers exploit them, demonstrate an exploit against a live device, and provide remediation advice."


They don't tell you how to exploit the code but Black Hat at least lets the community knows WHAT the issue or vulnerability offers up.  Troopers didn't do anything of the sort.  So asking a technology provider to address "tell me everything you've done wrong" is kinda like pissing into the wind.

Nothing earth shattering revealed from Troopers...Vulnerabilities sure, but nothing no other similar IT product doesn't routinely have happen.


With mitigations and fixes for all seems like, just as I thought, much ado about nothing!

Looks like this is the case:


Command Injection in Command Line Interface, PAN-SA-2016-0002


Unauthenticated Command Injection in Management Web Interface, PAN-SA-2016-0003


Unauthenticated Stack Exhaustion in GlobalProtect/SSL VPN Web Interface, PAN-SA-2016-0004


Unauthenticated Buffer Overflow in GlobalProtect/SSL VPN Web Interface, PAN-SA-2016-0005

Hopefully the video will shortly arrive at

I'm sure everyone else on here got that e-mail but in case you didn't here's a snippet:


" ...All customers are advised to upgrade PAN-OS and Panorama to the latest maintenance releases before March 16th, 2016, when details of the vulnerabilities will be publicly disclosed at a security conference in Germany by the security researcher that discovered and reported these issues to us..."

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!