How to enable signature of Unique threat id

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to enable signature of Unique threat id

L3 Networker
Hello guys hope you doing well I had one question this vulnerability is resolved in the unstable version of PANOS as I see we want to enable the Unique id signature because the affected version is 9.1.4 and 10.0.0 so what should I do to enable this unique threat id. what will be the impact to end users, If we go ahead with the workaround
 
 
CVE-2021-3050 PAN-OS: OS Command Injection Vulnerability in Web Interface

 

Description
An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to execute arbitrary OS commands to escalate privileges.

 

Solution:
We intend to fix this issue in PAN-OS 9.0.15 (ETA November 2021), PAN-OS 9.1.11 (ETA September 2021), PAN-OS 10.0.8 (ETA September 2021), PAN-OS 10.1.2 (ETA September 2021) and all later PAN-OS versions.

 

Workarounds and Mitigations:
Enable signatures for Unique Threat ID 91439 on traffic destined for the web interface to block attacks against CVE-2021-3050
 
2 REPLIES 2

L7 Applicator

You can mitigate this vulnerability by having traffic that routes to the management interface be scanned by a Vulnerability Protection profile which should be set to reset-both on High severity vulnerabilities. Since the firewall does not run IPS on the traffic destined to the management *port*, the recommendation implies that you would either force management traffic through the firewall, or migrate the WebUI management of the device to a data port for in-band management (where the Vulnerability Protection profile can scan the traffic) using an interface management profile, and/or, mitigate risk by restricting access to the management port. This is covered in our documentation at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securi...

 

Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to:

1) Create a Layer 3 interface in a spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an intrazone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port. 

or,

2) Create a vWire on two data ports, connect one port of the vWire to the management port and another to your management network switch. Define a security policy for the vWire with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires two spare data ports. The advantage in this scenario is that it provides true management isolation and that for any required services that do not honor Service Routes, traffic will continue to source from the Management port.

 

By the way, 10.1.2 and 9.1.11 have already released.

L3 Networker

Is there any docs where we can enable the Unique Threat ID on the firewall or we should check the vulnerability severity is apply on the management port interface and 10.1.2  or 9.1.11 are not stable yet and also should this issue is not resolved in stable version 9.1.10 and 10.0.6.

  • 9034 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!