12-06-2024 07:34 AM
Hi Guys,
I was reading this article https://security.paloaltonetworks.com/CVE-2024-0012.
Per the article, 'Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,'
I have Threat Prevention subscription. Where do I check Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 to see if they're set to block mode?
How do I set them to block mode if they aren't set to block mode?
Thanks.
12-06-2024 08:43 AM
The Apps&Threats signatures generally show up under your Anti-Virus, Anti-Spyware, or Vulnerability Protection profiles (depending on the threat type), if your have a Threat Prevention license. You can also check the type and default status from Threat Vault (https://threatvault.paloaltonetworks.com/).
Go to Objects -> Security Profiles -> Vulnerability Protection and select the profile that you are using for filtering traffic (must be applied under Actions of the Security Policies you are using to filter inbound/outbound traffic). Click the Exceptions tab and then check the 'Show all signatures" box at the bottom (only exceptions to default signatures show by default). Scroll or use the filter box to find the relevant signature.
Note that not all the indicated signatures are block by default as they may be more generic in detection. Default settings:
ID - Severity/Action
95746 - Low/Alert
95747 - Critical/Reset-server
95752 - Critical/Reset-server
95753 - Medium/Alert
95759 - Critical/Reset-server
95763 - Critical/Reset-server
To change a signature action under a profile, select the signature in the Exceptions tab and click the "Enable" box. Enter an exempt IP, change the Action, or change the Packet Capture settings to your desired setting and click OK/Commit. If you have multiple Security Profiles for different Security Policies, you will have to change each relevant one.
12-11-2024 09:54 AM
Hi, Thanks for the comment.
For the ID 95746 (low/alert) , under 'IP Address Exemptions', what IP address do i need to put there?
Since the default is alert, what action do I need here? Drop?
12-11-2024 10:35 AM
If you put any IPs in the "IP Address Exemptions" list (click the empty box to enter), those IPs will be excluded from that signature detection and will not trigger (either source or destination). So, for example, if you had a server that regularly triggered a false positive for a ColdFusion exploit signature (when your server didn't even have ColdFusion installed) and you want to ignore that, but not disable the signature for other devices, you could enter the server IP under Exemptions. That particular server would no long trip that signature, but all other devices still would.
The 95746 signature is more generic (may trigger on far more than just CV-2024-0012), so PA has decided to make it low-severity and alert only. If you want to change it to immediately kill the connection, you can change the action to any of the following:
You would probably want to Reset Both or Reset Server to ensure the existing session is cancelled and the server does not try to parse a partial packet reception. See the documentation on the various options here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
