About kshorrock

With the release of PAN-OS 7.1.12 Palo Alto Networks has published 2 new and 1 updated Security Advisory addressing 3 security issues.   New Security Advisories   PAN-SA-2017-0023 -  Cross-Site Scripting in PAN-OS A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface,  that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters.   Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3 CVE-2017-12416 PAN-SA-2017-0024 - XML External Entity (XXE) in PAN-OS  A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface,  that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input.   High Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3 CVE-2017-9458 Updated Security Advisory   PAN-SA-2017-0022 - NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.   Low Severity Fixed in PAN-OS 7.1.12 and PAN-OS 8.0.4 Fixes for 6.1 and 7.0 will be released on a future date CVE-2017-6460 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.

   Please visit our Security Advisories website to learn more at   https://securityadvisories.paloaltonetworks.com/

   If you have questions, please contact support   https://www.paloaltonetworks.com/company/contact-support   

Regards
 Product Security Incident Response Team Palo Alto Networks   Updated August-31-2017 - Security Advisories updated to clarify that both the Internal and external interfaces of GlobalProtect are affected by issues listed in PAN-SA-2017-0023 and PAN-SA-2017-0024 ... View more

Palo Alto Networks has published 1 new Security Advisory addressing 1 security issue.   New Security Advisory   PAN-SA-2017-0022 - NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.   Low Severity Fixed in PAN-OS 8.0.4 Fixes for 6.1, 7.0 and 7.1 will be released on a future date CVE-2017-6460 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.

   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/

   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   

Regards
 Product Security Incident Response Team Palo Alto Networks   Updated August-07-2017 - This advisory initially listed  CVE-2016-9042. This was incorrect and PAN-OS is not affected by CVE-2016-9042. The security advisory has been updated to reflect this. ... View more

Palo Alto Networks has published 3 new and 2 updated Security Advisory addressing several security issue to https://securityadvisories.paloaltonetworks.com/ .   New Security Advisories   PAN-SA-2017-0021 - Vulnerability in the PAN-OS DNS Proxy Critical Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.10, PAN-OS 8.0.3 Affects DNS Proxy of PAN-OS CVE-2017-8390 FAQ  PAN-SA-2017-0020 - Cross-Site Scripting in PAN-OS Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.11, PAN-OS 8.0.3 Affects the GlobalProtect external interface of PAN-OS CVE-2017-9467 PAN-SA-2017-0019 - Cross-Site Scripting in the Management Web Interface Medium Severity Fixed in PAN-OS 6.1.18, PAN-OS 7.0.16, PAN-OS 7.1.11, PAN-OS 8.0.3 Affects the Management Interface of PAN-OS CVE-2017-9459 Updated Security Advisories   PAN-SA-2017-0017 - OpenSSL Vulnerability 6.1.18 Fix available PAN-SA-2017-0018 - Kernel Vulnerability 6.1.18 Fix available Details of the issues, affected versions, and any mitigation information can be found in the Security Advisories.

   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   

If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support

   Regards
 Product Security Incident Response Team
 Palo Alto Networks ... View more

Palo Alto Networks has published a new Security Advisory addressing a security issue.   We have updated Security Advisory PAN-SA-2017-0015. The advisory was updated to indicate the issue was fixed in update 7.0.16 which was released on the 6th June. The text was missing from the Available Updates section of the advisory:   New Security Advisory   PAN-SA-2017-0018 - Kernel Vulnerability   PAN-OS 8.0.3 Update Available Only Affects the Management Interface CVE-2016-10229 Updated Security Advisory   PAN-SA-2017-0015 - Kernel Vulnerability   Added PAN-OS 7.0.16 text to Update Available section PAN-OS 8.0 is not vulnerable to this issue CVE-2016-5696 Details of the issues, affected versions, and any mitigation information can be found in the Security Advisories. Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/ If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support Regards Product Security Incident Response Team
 Palo Alto Networks ... View more

With the release of PAN-OS 7.0.16, Palo Alto Networks has published a Security Advisory addressing a security issue:    New Security Advisory   PAN-SA-2017-0017 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards Product Security Incident Response Team
 Palo Alto Networks ... View more

Palo Alto Networks has published several Security Advisories addressing several security issues with the release of PAN-OS 7.1.10:    New Security Advisories   PAN-SA-2017-0015 - K ernel Vulnerability PAN-SA-2017-0016 - WGET Vulnerability Updated Security Advisory   PAN-SA-2017-0012 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks   ... View more

Palo Alto Networks has published several Security Advisories addressing several security issues:    New Security Advisories   PAN-SA-2017-0013 - Information Disclosure in the Management Web Interface  PAN-SA-2017-0014 - Brute force attack on the PAN-OS GlobalProtect external interface  Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks   Change Log May 9th 2017 - Removed reference to PAN-SA-2017-0003. A fix for PAN-OS 6.1 has not yet been released. ... View more

Palo Alto Networks has published several Security Advisories addressing several security issues:    PAN-SA-2017-0011 - Cross-Site Scripting in the PAN-OS PAN-SA-2017-0012 - OpenSSL Vulnerability Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks ... View more

  Palo Alto Networks has published several Security Advisories addressing several security issues:    PAN-SA-2017-0007 - Temporary DoS for Traps Agent PAN-SA-2017-0008 - Tampering of temporary export files in the Management Web Interface PAN-SA-2017-0009 - Local Privilege Escalation in the Management Web Interface PAN-SA-2017-0010 - Information Disclosure in the Management Web Interface  Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support   Regards Product Security Incident Response Team Palo Alto Networks ... View more

Summary CERT/CC has recently published a paper "The Security Impact of HTTPS Interception"[1] discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts[2][3] highlighting the CERT/CC paper, that customers may have received.   The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server.   Details The information below provides details for customers who may be concerned about the issues mentioned in the paper.   PAN-OS helps customers eliminate the concerns mentioned in the CERT/CC paper, we recommend customers review this document and the additional articles listed in the resources section.   PAN-OS preserves the integrity of the SSL/TLS session by using the cryptographic settings of the original SSL/TLS negotiation as mandated by the client and the server. It does not change the cryptographic parameters once the session has been negotiated, and if the cryptographic parameters do not meet policy requirements as defined by an administrator, PAN-OS can either block or not decrypt the session based on the policy. Further, PAN-OS allows administrators to specify the supported SSL/TLS protocol versions and cipher suites to reduce risk and eliminate the vulnerabilities mentioned in the paper.   In addition, as a suggested best-practice, see https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visibility-and-threat-inspection for information on preventing the use of weak cryptography by clients and servers in the network.   Should you have any questions or need help configuring our products, please don’t hesitate to reach out to your support provider or Palo Alto Networks Support Team at https://support.paloaltonetworks.com.   Reference [1] -   https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html [2] -   https://www.us-cert.gov/ncas/alerts/TA17-075A [3] -   https://www.us-cert.gov/ncas/alerts/TA15-120A   Resources [4] -   https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visibility-and-threat-inspection [5] -   https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/62256 [6] -   https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy [7] -   https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html [8] -   https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management-certificates [9] -   https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719 [10] -  https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Enable-CRL-and-OCSP-from-the-WebGUI-and-CLI/ta-p/56490   ... View more

Palo Alto Networks has published a Security Advisory today addressing a security issue:   PAN-SA-2017-0006 - Information Disclosure in Terminal Services Agent Details of the issue, affected versions, and mitigation information can be found in the Security Advisory.   Please visit our Security Advisories website to learn more at  https://securityadvisories.paloaltonetworks.com/   If you have questions, please contact support  https://www.paloaltonetworks.com/company/contact-s upport   Regards Product Security Incident Response Team Palo Alto Networks ... View more