I know this is an old thread but just to tie the knot on this, there was a bug ID assigned for this issue ( PAN-60414) and the fix for it was released on v7.1.13 and later versions/releases. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-release-notes/pan-os-7-1-addressed-issues/pan-os-7-1-13-addressed-issues Also, the content update (version 8164) has modified HL7 app-ID for recategorization.
... View more
I know this thread is couple months old but I'll post a response anyway.
There are 6 critical vulnerabilities from the Urgent/11 family.
A specially crafted IP packet sent to the target can cause a stack overflow in the handling of IP options in the header to possibly cause remote code execution. If you have a device (like our NGFW) that can clear IP options from the IPv4 header for ingress traffic, you can neutralize this exploit. Palo Alto Networks NGFW does not clear IP options by default so you can create a specific zone protection profile that drops relevant IP options and apply to the segment where your vulnerable VxWorks device is connected. "Network tab - Zone Protection Profile - add - Packet based attack protection tab"
CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263
These 4 vulnerabilities all leverage manipulating TCP URG flag/pointer. Palo Alto Networks NGFW clears URG field as the default, out of the box configuration, neutralizing these attacks. This is a global setting however and cannot be applied only to a specific zone. You can run the following command to check your NGFW's current setting: "show running tcp state"
From the web GUI, under the Device tab - TCP Settings.
Exploiting this vulnerability requires the attacker to send a crafted DHCP server response before the actual DHCP server response gets to the victim host. Configuring security rule from your NGFW to only allow DHCP traffic from your authorized DHCP server can thwart such attacks. This wouldn't obviously work if the attacker was on the same network as the victim host. If such implementation is not feasible due to other devices in the network, consider isolating vulnerable devices to their own network segment/zone(s) to be able to apply the desired FW security rule.
@jesseholland @Eusono @tmcneil @matthewroberson @KevinMedeiros
... View more