Product Security Incident Response Team

PSIRT Articles

The latest news from the Product Security Incident Response Team at Palo Alto Networks.

Palo Alto Networks Security Advisories: 15-October-2019

L3 Networker

Palo Alto Networks has published two new Security Advisories that impact the GlobalProtect agent for Windows, Linux, and Mac OSX.

Please see https://securityadvisories.paloaltonetworks.com for details about the following two new security advisories:

Local Privilege Escalation in GlobalProtect Agent for Windows (PAN-SA-2019-0036)

Local Privilege Escalation in GlobalProtect Agent for Linux and Mac OS (PAN-SA-2019-0037)

Background ROBOT [1] is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key. Exposure SSL Decryption and GlobalProtect are susceptible to this issue. Our engineers are working on a software fix. We recommend customers running PAN-OS to upgrade to a fixed version of software or use content update 757, and implement further mitigations through the configuration changes described below under “Mitigations”. PAN-OS impacted releases include 6.1.19 and prior, 7.1.14 and prior, 8.0.6-h3 and prior. Fix and Mitigations Software update PAN-OS 6.1.20 and newer, 7.1.15 and newer, and 8.0.7 and newer are fixed. Customers exposed to this vulnerability are invited to upgrade to a corrected version of PAN-OS. Content Update Palo Alto Networks has released content update 757, which includes a vulnerability signature (“TLS Network Security Protocol Information Disclosure Vulnerability – ROBOT”, #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway. SSL Decryption Mitigation Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA. GlobalProtect Mitigation If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Eliptic Curve DSA algorithm as a safer alternative. Note: A PAN-OS 7.1 known issue prevents properly formatted ECDSA CSR. As a result, the Global Protect ECDSA certificate could either be generated: on appliance by temporarily importing the enterprise Certificate Authority in PAN-OS; or on external enterprise PKI system then imported into PAN-OS along with its private key. See Also PAN-OS Technical Documentation Critical Issues Addressed In PAN-OS Releases Best Practices For PAN-OS Upgrade Reference [1] https://robotattack.org/

Palo Alto Networks has published two new Security Advisories that impact the GlobalProtect agent for Windows, Linux, and Mac OSX. Please see https://securityadvisories.paloaltonetworks.com for details about the following two new security advisories: Local Privilege Escalation in GlobalProtect Agent for Windows (PAN-SA-2019-0036) Local Privilege Escalation in GlobalProtect Agent for Linux and Mac OS (PAN-SA-2019-0037)

Coverage for the Meltdown and Spectre vulnerabilities: Traps anti-exploitation mechanisms will not protect against exploiting of these vulnerabilities. The disclosed vulnerabilities are memory read vulnerabilities. They do not cause code execution. For an attacker to use these vulnerabilities, there likely would have been an initial attack phase that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities). For more information on Microsoft’s updates, please see Microsoft Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities Note that these vulnerabilities are memory read vulnerabilities; they do not cause code execution. For an attacker to use these vulnerabilities in an attack, they would have to have already executed a successful initial attack that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities). Compatibility: All the currently supported product lines (3.4, 4.0, and 4.1) were tested running on all the supported Operating System versions and certified to be compatible with the Microsoft Security updates. Note that the tests were performed on both physical and virtual machines. Find more information around Supported Operating Systems and Platforms on our Compatibility Matrix. https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/traps/where-can-i-install-the-traps-agent Microsoft patch: Traps is compatible with the patches Microsoft released to fix CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 vulnerabilities. Apple patch: Traps is compatible with macOS High Sierra 10.13.2 Supplemental Update including security improvements to Safari and WebKit to mitigate the effects of CVE-2017-5753 and CVE-2017-5715. Installing the Patch: Traps 4.0.5-h1, Traps 4.1.2-h1, and later automatically set the registry key Microsoft requires to be present for their security updates to install successfully. For more information on this registry key, please see Microsoft Knowledge Base Article 4072699. Customers requiring assistance with the upgrade, or assistance with older versions can reach out to the Palo Alto Networks Support team. Find the Support contact for your region at https://www.paloaltonetworks.com/company/contact-support Change Log Friday, Jan. 12, 2018 Post updated to include the note at the bottom of the article regarding a forthcoming update. Tuesday, Jan. 23, 2018 Updated with information about the new releases that allow Windows to install the patches automatically. Friday, Jan. 26, 2018 Updated to clarify information around the Microsoft Windows registry key.

With the release of PAN-OS 7.1.12 Palo Alto Networks has published 2 new and 1 updated Security Advisory addressing 3 security issues. New Security Advisories PAN-SA-2017-0023 - Cross-Site Scripting in PAN-OS A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters. Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3 CVE-2017-12416 PAN-SA-2017-0024 - XML External Entity (XXE) in PAN-OS A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input. High Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3 CVE-2017-9458 Updated Security Advisory PAN-SA-2017-0022 - NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall. Low Severity Fixed in PAN-OS 7.1.12 and PAN-OS 8.0.4 Fixes for 6.1 and 7.0 will be released on a future date CVE-2017-6460 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards  Product Security Incident Response Team Palo Alto Networks Updated August-31-2017 - Security Advisories updated to clarify that both the Internal and external interfaces of GlobalProtect are affected by issues listed in PAN-SA-2017-0023 and PAN-SA-2017-0024

Palo Alto Networks has published 1 new Security Advisory addressing 1 security issue. New Security Advisory PAN-SA-2017-0022 - NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall. Low Severity Fixed in PAN-OS 8.0.4 Fixes for 6.1, 7.0 and 7.1 will be released on a future date CVE-2017-6460 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards  Product Security Incident Response Team Palo Alto Networks Updated August-07-2017 - This advisory initially listed CVE-2016-9042. This was incorrect and PAN-OS is not affected by CVE-2016-9042. The security advisory has been updated to reflect this.

Palo Alto Networks has published 3 new and 2 updated Security Advisory addressing several security issue to https://securityadvisories.paloaltonetworks.com/ . New Security Advisories PAN-SA-2017-0021 - Vulnerability in the PAN-OS DNS Proxy Critical Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.10, PAN-OS 8.0.3 Affects DNS Proxy of PAN-OS CVE-2017-8390 FAQ PAN-SA-2017-0020 - Cross-Site Scripting in PAN-OS Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.11, PAN-OS 8.0.3 Affects the GlobalProtect external interface of PAN-OS CVE-2017-9467 PAN-SA-2017-0019 - Cross-Site Scripting in the Management Web Interface Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.11, PAN-OS 8.0.3 Affects the Management Interface of PAN-OS CVE-2017-9459 Updated Security Advisories PAN-SA-2017-0017 - OpenSSL Vulnerability 6.1.18 Fix available PAN-SA-2017-0018 - Kernel Vulnerability 6.1.18 Fix available Details of the issues, affected versions, and any mitigation information can be found in the Security Advisories.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards  Product Security Incident Response Team  Palo Alto Networks

Palo Alto Networks has published a new Security Advisory addressing a security issue. We have updated Security Advisory PAN-SA-2017-0015. The advisory was updated to indicate the issue was fixed in update 7.0.16 which was released on the 6th June. The text was missing from the Available Updates section of the advisory: New Security Advisory PAN-SA-2017-0018 - Kernel Vulnerability PAN-OS 8.0.3 Update Available Only Affects the Management Interface CVE-2016-10229 Updated Security Advisory PAN-SA-2017-0015 - Kernel Vulnerability Added PAN-OS 7.0.16 text to Update Available section PAN-OS 8.0 is not vulnerable to this issue CVE-2016-5696 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisories. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support Regards Product Security Incident Response Team  Palo Alto Networks

With the release of PAN-OS 7.0.16, Palo Alto Networks has published a Security Advisory addressing a security issue: New Security Advisory PAN-SA-2017-0017 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support Regards Product Security Incident Response Team  Palo Alto Networks

Palo Alto Networks has published several Security Advisories addressing several security issues with the release of PAN-OS 7.1.10: New Security Advisories PAN-SA-2017-0015 - Kernel Vulnerability PAN-SA-2017-0016 -WGET Vulnerability Updated Security Advisory PAN-SA-2017-0012 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport Regards Product Security Incident Response Team Palo Alto Networks

Palo Alto Networks has published several Security Advisories addressing several security issues: New Security Advisories PAN-SA-2017-0013 - Information Disclosure in the Management Web Interface PAN-SA-2017-0014 - Brute force attack on the PAN-OS GlobalProtect external interface Details of the issue, affected versions, and mitigation information can be found in the Security Advisory. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport Regards Product Security Incident Response Team Palo Alto Networks Change Log May 9th 2017 - Removed reference to PAN-SA-2017-0003. A fix for PAN-OS 6.1 has not yet been released.

Palo Alto Networks has published several Security Advisories addressing several security issues: PAN-SA-2017-0011 - Cross-Site Scripting in the PAN-OS PAN-SA-2017-0012 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport Regards Product Security Incident Response Team Palo Alto Networks

Palo Alto Networks has published several Security Advisories addressing several security issues: PAN-SA-2017-0007 - Temporary DoS for Traps Agent PAN-SA-2017-0008 - Tampering of temporary export files in the Management Web Interface PAN-SA-2017-0009 - Local Privilege Escalation in the Management Web Interface PAN-SA-2017-0010 - Information Disclosure in the Management Web Interface Details of the issue, affected versions, and mitigation information can be found in the Security Advisory. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support Regards Product Security Incident Response Team Palo Alto Networks

Summary CERT/CC has recently published a paper "The Security Impact of HTTPS Interception"[1] discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts[2][3] highlighting the CERT/CC paper, that customers may have received. The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server. Details The information below provides details for customers who may be concerned about the issues mentioned in the paper. PAN-OS helps customers eliminate the concerns mentioned in the CERT/CC paper, we recommend customers review this document and the additional articles listed in the resources section. PAN-OS preserves the integrity of the SSL/TLS session by using the cryptographic settings of the original SSL/TLS negotiation as mandated by the client and the server. It does not change the cryptographic parameters once the session has been negotiated, and if the cryptographic parameters do not meet policy requirements as defined by an administrator, PAN-OS can either block or not decrypt the session based on the policy. Further, PAN-OS allows administrators to specify the supported SSL/TLS protocol versions and cipher suites to reduce risk and eliminate the vulnerabilities mentioned in the paper. In addition, as a suggested best-practice, see https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visibility-and-threat-inspection for information on preventing the use of weak cryptography by clients and servers in the network. Should you have any questions or need help configuring our products, please don’t hesitate to reach out to your support provider or Palo Alto Networks Support Team at https://support.paloaltonetworks.com. Reference [1] - https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html [2] - https://www.us-cert.gov/ncas/alerts/TA17-075A [3] - https://www.us-cert.gov/ncas/alerts/TA15-120A Resources [4] - https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visibility-and-threat-inspection [5] - https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/62256 [6] - https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy [7] - https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html [8] - https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management-certificates [9] - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719 [10] - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Enable-CRL-and-OCSP-from-the-WebGUI-and-CLI/ta-p/56490

Palo Alto Networks has published a Security Advisory today addressing a security issue: PAN-SA-2017-0006 - Information Disclosure in Terminal Services Agent Details of the issue, affected versions, and mitigation information can be found in the Security Advisory. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport Regards Product Security Incident Response Team Palo Alto Networks