PSIRT Articles

Security researchers at INRIA recently described an attack against information encrypted using older 64-bit block ciphers, such as 3DES and Blowfish, to successfully recover plaintext. 

Palo Alto Networks introduced new features in our Customer Support Portal (CSP) that address security concerns related to support.paloaltonetworks.com.

Background ROBOT [1] is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key.   Exposure SSL Decryption and GlobalProtect are susceptible to this issue. Our engineers are working on a software fix. We recommend customers running PAN-OS to upgrade to a fixed version of software or use content update 757, and implement further mitigations through the configuration changes described below under “Mitigations”. PAN-OS impacted releases include 6.1.19 and prior, 7.1.14 and prior, 8.0.6-h3 and prior.   Fix and Mitigations Software update PAN-OS 6.1.20 and newer, 7.1.15 and newer,  and 8.0.7 and newer are fixed. Customers exposed to this vulnerability are invited to upgrade to a corrected version of PAN-OS.   Content Update Palo Alto Networks has released content update 757, which includes a vulnerability signature (“TLS Network Security Protocol Information Disclosure Vulnerability – ROBOT”, #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway.   SSL Decryption Mitigation Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA.   GlobalProtect Mitigation If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Eliptic Curve DSA algorithm as a safer alternative. Note: A PAN-OS 7.1 known issue prevents properly formatted ECDSA CSR. As a result, the Global Protect ECDSA certificate could either be generated: on appliance by temporarily importing the enterprise Certificate Authority in PAN-OS; or on external enterprise PKI system then imported into PAN-OS along with its private key.   See Also PAN-OS Technical Documentation   Critical Issues Addressed In PAN-OS Releases   Best Practices For PAN-OS Upgrade   Reference [1] https://robotattack.org/  

With the release of PAN-OS 9.0.1 Palo Alto Networks has a new Security Advisory.  Please see https://securityadvisories.paloaltonetworks.com for details.

With the release of PAN-OS 7.1.21, Palo Alto Networks has updated a Security Advisory.   Please see https://securityadvisories.paloaltonetworks.com for details.

Palo Alto Networks has published two new Security Advisories that impact the GlobalProtect agent for Windows, Linux, and Mac OSX.   Please see https://securityadvisories.paloaltonetworks.com for details about the following two new security advisories:   Local Privilege Escalation in GlobalProtect Agent for Windows (PAN-SA-2019-0036) Local Privilege Escalation in GlobalProtect Agent for Linux and Mac OS (PAN-SA-2019-0037)

Palo Alto Networks has published three new Security Advisories.  Please see https://securityadvisories.paloaltonetworks.com for details about the following: Information Disclosure in PAN-OS Management API Usage Command Injection in PAN-OS Privilege Escalation in PAN-OS

Palo Alto Networks has published a new informational Security Advisory.  Please see https://securityadvisories.paloaltonetworks.com for details.

With the release of PAN-OS 7.1.23 Palo Alto Networks has two new  Security Advisories.  Please see https://securityadvisories.paloaltonetworks.com for details.

With the release of PAN-OS 8.1.6 Palo Alto Networks has two new  Security Advisories.  Please see https://securityadvisories.paloaltonetworks.com for details.

Palo Alto Networks has published a new Security Advisory.  Please see https://securityadvisories.paloaltonetworks.com for details.

Palo Alto Networks has published 3 new Security Advisories. This includes information about TCP SACK Panic Findings in PAN-OS.    Please see https://securityadvisories.paloaltonetworks.com for details.

With the release of PAN-OS 7.1.20 Palo Alto Networks has published new Security Advisories.  Please see https://securityadvisories.paloaltonetworks.com for details.

With the release of PAN-OS 8.1.3 Palo Alto Networks has published new Security Advisories.  Please see https://securityadvisories.paloaltonetworks.com for details.

With the release of PAN-OS 8.0.10 Palo Alto Networks has published a new Security Advisory.  Please see http://securityadvisories.paloaltonetworks.com/Home/Detail/121 for details.

Coverage for the Meltdown and Spectre vulnerabilities: Traps anti-exploitation mechanisms will not protect against exploiting of these vulnerabilities. The disclosed vulnerabilities are memory read vulnerabilities. They do not cause code execution. For an attacker to use these vulnerabilities, there likely would have been an initial attack phase that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities). For more information on Microsoft’s updates, please see Microsoft Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities Note that these vulnerabilities are memory read vulnerabilities; they do not cause code execution. For an attacker to use these vulnerabilities in an attack, they would have to have already executed a successful initial attack that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities). Compatibility: All the currently supported product lines (3.4, 4.0, and 4.1) were tested running on all the supported Operating System versions and certified to be compatible with the Microsoft Security updates. Note that the tests were performed on both physical and virtual machines. Find more information around Supported Operating Systems and Platforms on our Compatibility Matrix. https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/traps/where-can-i-install-the-traps-agent Microsoft patch: Traps is compatible with the patches Microsoft released to fix CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 vulnerabilities.   Apple patch: Traps is compatible with macOS High Sierra 10.13.2 Supplemental Update including security improvements to Safari and WebKit to mitigate the effects of CVE-2017-5753 and CVE-2017-5715. Installing the Patch: Traps  4.0.5-h1, Traps 4.1.2-h1, and later automatically set the registry key Microsoft requires to be present for their security updates to install successfully. For more information on this registry key, please see Microsoft Knowledge Base Article 4072699.   Customers requiring assistance with the upgrade, or assistance with older versions can reach out to the Palo Alto Networks Support team. Find the Support contact for your region at https://www.paloaltonetworks.com/company/contact-support   Change Log   Friday, Jan. 12, 2018 Post updated to include the note at the bottom of the article regarding a forthcoming update. Tuesday, Jan. 23, 2018 Updated with information about the new releases that allow Windows to install the patches automatically. Friday, Jan. 26, 2018 Updated to clarify information around the Microsoft Windows registry key.

Meltdown and Spectre [1] affect modern CPU architectures (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). Our preliminary findings conclude that these vulnerabilities pose limited risk to Palo Alto Networks PAN-OS devices.

ROCA: Vulnerable RSA generation (CVE-2017-15361) will find no place among Palo Alto Networks products.

With the release of PAN-OS 7.1.12 Palo Alto Networks has published 2 new and 1 updated Security Advisory addressing 3 security issues.   New Security Advisories   PAN-SA-2017-0023 - Cross-Site Scripting in PAN-OS A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters.   Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3 CVE-2017-12416 PAN-SA-2017-0024 - XML External Entity (XXE) in PAN-OS  A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input.   High Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3 CVE-2017-9458 Updated Security Advisory   PAN-SA-2017-0022 - NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.   Low Severity Fixed in PAN-OS 7.1.12 and PAN-OS 8.0.4 Fixes for 6.1 and 7.0 will be released on a future date CVE-2017-6460 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.

   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/

   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   

Regards
 Product Security Incident Response Team Palo Alto Networks   Updated August-31-2017 - Security Advisories updated to clarify that both the Internal and external interfaces of GlobalProtect are affected by issues listed in PAN-SA-2017-0023 and PAN-SA-2017-0024

Palo Alto Networks has published 1 new Security Advisory addressing 1 security issue.   New Security Advisory   PAN-SA-2017-0022 - NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.   Low Severity Fixed in PAN-OS 8.0.4 Fixes for 6.1, 7.0 and 7.1 will be released on a future date CVE-2017-6460 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.

   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/

   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   

Regards
 Product Security Incident Response Team Palo Alto Networks   Updated August-07-2017 - This advisory initially listed CVE-2016-9042. This was incorrect and PAN-OS is not affected by CVE-2016-9042. The security advisory has been updated to reflect this.

Palo Alto Networks has published 3 new and 2 updated Security Advisory addressing several security issue to https://securityadvisories.paloaltonetworks.com/ .   New Security Advisories   PAN-SA-2017-0021 - Vulnerability in the PAN-OS DNS Proxy Critical Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.10, PAN-OS 8.0.3 Affects DNS Proxy of PAN-OS CVE-2017-8390 FAQ  PAN-SA-2017-0020 - Cross-Site Scripting in PAN-OS Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.11, PAN-OS 8.0.3 Affects the GlobalProtect external interface of PAN-OS CVE-2017-9467 PAN-SA-2017-0019 - Cross-Site Scripting in the Management Web Interface Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.11, PAN-OS 8.0.3 Affects the Management Interface of PAN-OS CVE-2017-9459 Updated Security Advisories   PAN-SA-2017-0017 - OpenSSL Vulnerability 6.1.18 Fix available PAN-SA-2017-0018 - Kernel Vulnerability 6.1.18 Fix available Details of the issues, affected versions, and any mitigation information can be found in the Security Advisories.

   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   

If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support

   Regards
 Product Security Incident Response Team
 Palo Alto Networks

Palo Alto Networks has published a new Security Advisory addressing a security issue.   We have updated Security Advisory PAN-SA-2017-0015. The advisory was updated to indicate the issue was fixed in update 7.0.16 which was released on the 6th June. The text was missing from the Available Updates section of the advisory:   New Security Advisory   PAN-SA-2017-0018 - Kernel Vulnerability   PAN-OS 8.0.3 Update Available Only Affects the Management Interface CVE-2016-10229 Updated Security Advisory   PAN-SA-2017-0015 - Kernel Vulnerability   Added PAN-OS 7.0.16 text to Update Available section PAN-OS 8.0 is not vulnerable to this issue CVE-2016-5696 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisories. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support Regards Product Security Incident Response Team
 Palo Alto Networks

With the release of PAN-OS 7.0.16, Palo Alto Networks has published a Security Advisory addressing a security issue:    New Security Advisory   PAN-SA-2017-0017 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards Product Security Incident Response Team
 Palo Alto Networks

Palo Alto Networks has published several Security Advisories addressing several security issues with the release of PAN-OS 7.1.10:    New Security Advisories   PAN-SA-2017-0015 - Kernel Vulnerability PAN-SA-2017-0016 -WGET Vulnerability Updated Security Advisory   PAN-SA-2017-0012 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks  

Palo Alto Networks has published several Security Advisories addressing several security issues:    New Security Advisories   PAN-SA-2017-0013 - Information Disclosure in the Management Web Interface  PAN-SA-2017-0014 - Brute force attack on the PAN-OS GlobalProtect external interface  Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks   Change Log May 9th 2017 - Removed reference to PAN-SA-2017-0003. A fix for PAN-OS 6.1 has not yet been released.

Palo Alto Networks has published several Security Advisories addressing several security issues:    PAN-SA-2017-0011 - Cross-Site Scripting in the PAN-OS PAN-SA-2017-0012 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks

  Palo Alto Networks has published several Security Advisories addressing several security issues:    PAN-SA-2017-0007 - Temporary DoS for Traps Agent PAN-SA-2017-0008 - Tampering of temporary export files in the Management Web Interface PAN-SA-2017-0009 - Local Privilege Escalation in the Management Web Interface PAN-SA-2017-0010 - Information Disclosure in the Management Web Interface  Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards Product Security Incident Response Team Palo Alto Networks

Summary CERT/CC has recently published a paper "The Security Impact of HTTPS Interception"[1] discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts[2][3] highlighting the CERT/CC paper, that customers may have received.   The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server.   Details The information below provides details for customers who may be concerned about the issues mentioned in the paper.   PAN-OS helps customers eliminate the concerns mentioned in the CERT/CC paper, we recommend customers review this document and the additional articles listed in the resources section.   PAN-OS preserves the integrity of the SSL/TLS session by using the cryptographic settings of the original SSL/TLS negotiation as mandated by the client and the server. It does not change the cryptographic parameters once the session has been negotiated, and if the cryptographic parameters do not meet policy requirements as defined by an administrator, PAN-OS can either block or not decrypt the session based on the policy. Further, PAN-OS allows administrators to specify the supported SSL/TLS protocol versions and cipher suites to reduce risk and eliminate the vulnerabilities mentioned in the paper.   In addition, as a suggested best-practice, see https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visibility-and-threat-inspection for information on preventing the use of weak cryptography by clients and servers in the network.   Should you have any questions or need help configuring our products, please don’t hesitate to reach out to your support provider or Palo Alto Networks Support Team at https://support.paloaltonetworks.com.   Reference [1] - https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html [2] - https://www.us-cert.gov/ncas/alerts/TA17-075A [3] - https://www.us-cert.gov/ncas/alerts/TA15-120A   Resources [4] - https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visibility-and-threat-inspection [5] - https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/62256 [6] - https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy [7] - https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html [8] - https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management-certificates [9] - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719 [10] -  https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Enable-CRL-and-OCSP-from-the-WebGUI-and-CLI/ta-p/56490  

Palo Alto Networks has published a Security Advisory today addressing a security issue:   PAN-SA-2017-0006 - Information Disclosure in Terminal Services Agent Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks