PANdora's Box

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PANdora's Box

L0 Member

Anyone else seen this article from HackerNews?  Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits  I'm being told these are all old vulnerabilities and I shouldn't worry my pretty little head about them.  We've a couple of new 1410's on order and I'm wondering what, if anything, I need to do to ensure that I really don't need to worry.  Thoughts?

1 accepted solution

Accepted Solutions
Palo Alto Networks Approved
Palo Alto Networks Approved

Cyber Elite
Cyber Elite

Hello,

I went down the rabbit hole on this one and here is what I found:

  1. Requires your admin port to be open. 
    1. If yours is secure in a restricted vlan, you're safe. This was the first requirement
  2. If you're running newer preferred code, you are safe because the access to the remote code execution was via an unpatched unsecured admin interface.

So if you are good on both points, you're safe.

 

Regards,

 

 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@kenlacrosse,

I would wait to see if PAN to actually publishes a security advisory regarding these findings, but the actual report details a lot of where these would stand. I'm personally not a fan of how Eclypsium handled their disclosure with a significant amount of time between today and initial disclosure being the holiday period.

Looking through the vulnerabilities reported none of them at first glance appear to be exploitable by themselves. The vast majority rely on a more complex attack chain where the known exploits have all been patched, or they require physical access to the device to exploit unnoticed.

 

Looking solely at those that affect the 1410 as an example:

 

CVE-2020-10713

As PAN noted at the time, you don't regularly have access to modify core system files. This (under normal circumstances) requires that you have access to generate one-time root access via TAC. Vulnerabilities to gain root level access to system files do exist, but they are patched in the latest releases. It's not that there's no impact, but the vulnerability relies on a chain to properly exploit; eclypsium utilized known-vulnerable builds to exploit this issue.

PixieFail

My understanding is that you would need to boot into the PXE environment to exploit this. That would be severely abnormal condition to have your firewall in.

Intel BootGuard
I've personally not seen any confirmation that the leak that exposed these keys actually impacts every Intel product that some claim it does. It very well could actually include Intel keys themselves, but I've never seen direct confirmation that this is the case. I've seen a lot of people parrot the original report without any confirmation one way or the other.



L1 Bithead

Paloalto published regarding PANdora's box.

 

PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin

 

Yeah we too ordered a few 1410 models recently

Palo Alto Networks Approved
Palo Alto Networks Approved

Cyber Elite
Cyber Elite

Hello,

I went down the rabbit hole on this one and here is what I found:

  1. Requires your admin port to be open. 
    1. If yours is secure in a restricted vlan, you're safe. This was the first requirement
  2. If you're running newer preferred code, you are safe because the access to the remote code execution was via an unpatched unsecured admin interface.

So if you are good on both points, you're safe.

 

Regards,

 

 

  • 1 accepted solution
  • 1436 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!