Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
08-11-2021 04:47 AM - edited 08-11-2021 06:09 AM
Hello, team One of my client want to know the stable version of PANOS there current one is 9.1.5 I suggested them with min apps threat Global protect user-id version and suggest the PANOS 10.0.6 After that the client send me the issue below. The PANOS 10.0.7 is under Monitoring please let me if there is any solution for this. PAN-154433 issue id
PA-820 HA.
Priority 1
Impact
Loss of Availability
Loss of Confidentiality
Loss of Integrity
Description
Palo Alto Networks PAN-OS contains an overflow condition related to the useridd process that is triggered as certain input is not properly validated. This may allow an attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
Palo Alto Networks PAN-OS contains a flaw in the GTP-U that is triggered as the firewall cannot properly detect end-user IP address spoofing when using an IPv6 address. This may allow a remote attacker to bypass firewall protection mechanisms.
Affected Versions
Palo Alto Networks -> PAN-OS -> 10.0.6
Fixed Versions
Palo Alto Networks -> PAN-OS -> 10.0.7
Solution
Update to a fixed version.
Reference
08-11-2021 04:57 AM
Hi there,
Are there any features that you require in your deployment that are only available in the 10.0.x release? If not, then you are probably better off using the preferred 9.1.10 release.
If there are features that require moving to the 10.0.x release, the next question is are you supporting IPv6? If not, then you have a valid mitigation for this vulnerability.
cheers,
Seb.
08-11-2021 05:51 AM
@SebRupik is absolutely right. If you do not need any features from 10.0 then I recommend to wait at least until x.y.8 or even x.y.9 release. Prior to that I normally don't even consider upgrading to the next version. I had too many problems in the past when I upgraded production firewalls prior to these minor versions. Of course it always depends on which features you use but in general the risk of hitting a bug isn't worth it unless you really need a new feature.
(If you have a lab environment where you can test everything - and I really mean everything with not only 1 or 2 users, then you should be able to reduce the risk of problems)
08-11-2021 06:27 AM
what about
Palo Alto Networks PAN-OS contains an overflow condition related to the useridd process that is triggered as certain input is not properly validated. This may allow an attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
It is based on when the User id agent is Configured right?
08-11-2021 06:57 AM
Is that text from the same PANOS Issue ID (154433) ? From the summary it sounds as if the user-id agent has not been enabled on the firewall you have nothing to worry about.
cheers,
Seb.
08-11-2021 07:08 AM
Fixed a buffer overflow issue related to the user id process.
No, this text is from another PANOS issue id
So for this issue, if the user -id agent has not been enabled on the firewall we have nothing to worry about right?
08-11-2021 07:14 AM
Exactly, most of the unresolved issues on a release can be mitigated by the fact a particular feature is not part of the running config.
cheers,
Seb.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
