PANOS 10.0.6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PANOS 10.0.6

L3 Networker

Hello, team One of my client want to know the stable version of PANOS there current one is 9.1.5 I suggested them with min apps threat Global protect user-id version and suggest the PANOS 10.0.6 After that the client send me the issue below. The PANOS 10.0.7 is under Monitoring please let me if there is any solution for this. PAN-154433 issue id

PA-820 HA.

 

Priority 1

 

Impact

 

Loss of Availability
Loss of Confidentiality
Loss of Integrity

 

Description

 

Palo Alto Networks PAN-OS contains an overflow condition related to the useridd process that is triggered as certain input is not properly validated. This may allow an attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

Palo Alto Networks PAN-OS contains a flaw in the GTP-U that is triggered as the firewall cannot properly detect end-user IP address spoofing when using an IPv6 address. This may allow a remote attacker to bypass firewall protection mechanisms.

 

Affected Versions

 

Palo Alto Networks -> PAN-OS -> 10.0.6

 

Fixed Versions

 

Palo Alto Networks -> PAN-OS -> 10.0.7

 

Solution

 

Update to a fixed version.

 

Reference

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-addressed-issues/pan-...

6 REPLIES 6

L3 Networker

Hi there,

Are there any features that you require in your deployment that are only available in the 10.0.x release? If not, then you are probably better off using the preferred 9.1.10 release.

If there are features that require moving to the 10.0.x release, the next question is are you supporting IPv6? If not, then you have a valid mitigation for this vulnerability.

 

cheers,

Seb.

@SebRupik is absolutely right. If you do not need any features from 10.0 then I recommend to wait at least until x.y.8 or even x.y.9 release. Prior to that I normally don't even consider upgrading to the next version. I had too many problems in the past when I upgraded production firewalls prior to these minor versions. Of course it always depends on which features you use but in general the risk of hitting a bug isn't worth it unless you really need a new feature.

(If you have a lab environment where you can test everything - and I really mean everything with not only 1 or 2 users, then you should be able to reduce the risk of problems)

Thankyou@Sebrupik

what about 

Palo Alto Networks PAN-OS contains an overflow condition related to the useridd process that is triggered as certain input is not properly validated. This may allow an attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

It is based on when the User id agent is Configured right?

 

Is that text from the same PANOS Issue ID (154433) ? From the summary it sounds as if the user-id agent has not been enabled on the firewall you have nothing to worry about.

 

cheers,

Seb.

PAN-158372

Fixed a buffer overflow issue related to the user id process.

No, this text is from another PANOS issue id 

So for this issue, if the user -id agent has not been enabled on the firewall we have nothing to worry about right?

 

Exactly, most of the unresolved issues on a release can be mitigated by the fact a particular feature is not part of the running config.

 

cheers,

Seb.

  • 3104 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!