This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

TID 95187 is not on my signature list

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TID 95187 is not on my signature list

Go to solution
emr_1
L5 Sessionator

‎04-12-2024 02:12 AM

Hi,
The question is related to following vulnerability: https://security.paloaltonetworks.com/CVE-2024-3400

 

In this it said "Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682)."

 

However, when I update content signature to the latest ( which is 8833-8682 ), and then try to create new vulnerability profile with specifying 95187 only, it does not shows me 95187.

 

2024-04-12 18 05 53.png

With ID range, the result is as below

2024-04-12 18 06 54.png

 

I'm sure there is ID 95187 because I can check via CLI.

 

admin@PA-410> show system info | match app-version
app-version: 8833-8682
admin@PA-410> show threat id 95187


This signature detects malicious payload in HTTPS request.


critical
Unknown
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention

admin@PA-410>

 

 

NOTE:  I can replicate this condition with other platforms too.

 

How can I create this vulnerability profile for mitigation?

 

 

5 people had this problem.
1 accepted solution

Accepted Solutions

Go to solution
ymiyashita
L5 Sessionator

‎04-12-2024 04:41 AM

This is a GUI issue.
Once Applications and Threats content version 8833-8682 was installed, the signature (TID: 95187) is available on the firewall.

 

The severity of the signature is "Critical" and the default action is "reset-server". So, if you clone the strict/default vulnerability profile, or if you follow the best practice, then the signature is effective (enabled).
https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-inter...

 

To fix the GUI issue, please try the followings and see if it works.
1. Go to "Device" -> "Dynamic Update" -> find the content version 'previously' installed -> "Revert"
2. Then, revert back to 8833
3. Refresh the browser page. (or try using another browser)

View solution in original post

16 REPLIES 16

Go to solution
jorntweyts
L1 Bithead

‎04-12-2024 03:41 AM - edited ‎04-12-2024 03:48 AM

I see the same thing.
Can someone confirm if this is is just cosmetic?

Because if you can't individually select the Threat ID, to me the question becomes:

 

If you create a Vulnerability Policy with the action 'reset-server' for ALL 'high' & 'critical' threat IDs, will the profile hit this 'hidden' threat or not?

0 Likes Likes

Go to solution
emr_1
L5 Sessionator

‎04-12-2024 03:55 AM

Even I don't know this is cosmetic issue or not, I could find the way to show TID 95187.

Try following:

1. create sample profile from CLI. sample command is as below

# set profiles vulnerability "sampleconfig" threat-exception 95187 action reset-both

2. go back to your GUI. you can reuse "sampleconfig" profile or delete it if you don't need, then edit your existing profile with TID 95187

 

Even I could configure it, I still curious this protect my GP Gateway (hope this is cosmetic issue)

Go to solution
jorntweyts
L1 Bithead

‎04-12-2024 04:17 AM

Thanks,

I can confirm your workaround works on a firewall (it didn't on the panorama)

 

It does look cosmetic but I have no way of testing it.

So, to be sure I went ahead and disabled Telemetry.

0 Likes Likes

Go to solution
ymiyashita
L5 Sessionator

‎04-12-2024 04:41 AM

This is a GUI issue.
Once Applications and Threats content version 8833-8682 was installed, the signature (TID: 95187) is available on the firewall.

 

The severity of the signature is "Critical" and the default action is "reset-server". So, if you clone the strict/default vulnerability profile, or if you follow the best practice, then the signature is effective (enabled).
https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-inter...

 

To fix the GUI issue, please try the followings and see if it works.
1. Go to "Device" -> "Dynamic Update" -> find the content version 'previously' installed -> "Revert"
2. Then, revert back to 8833
3. Refresh the browser page. (or try using another browser)

Go to solution
PA_nts
L3 Networker

‎04-12-2024 05:14 AM

Tried on 2 different FWs.. same issue.. even the release notes does not state the threat ID

0 Likes Likes

Go to solution
Maur73G
L1 Bithead
In response to ymiyashita

‎04-12-2024 05:20 AM

I've tried with the revert to the previously installed version and then got back to the 8833 and it didn't work in PAN-OS 10.2.7-h3 (I can't see the 8833 signatures in the GUI)

 

I could check in the GUI in a PAN-OS 10.1.6-h7 and the Threat ID is visible in the Vulnerability Profiles after receiving the 8833.

 

The TAC analyst indicates me the 8833 signatures are not visible in the GUI of 10.2 and above, and the way to confirm is the output of "show threat id 95187".

 

However, as some of you wrote in this post, I hope that is just a cosmetic issue because we don't know how can find out if it's working.

0 Likes Likes

Go to solution
ymiyashita
L5 Sessionator
In response to Maur73G

‎04-12-2024 05:34 AM

Did you also refresh the browser page or try another browser?
I could make it work in PAN-OS 10.2.7-h3.

Go to solution
Maur73G
L1 Bithead
In response to ymiyashita

‎04-12-2024 05:47 AM

You're right , I've tried some minutes ago and I can see the 95187 signature in PAN-OS 10.2.7-h3

0 Likes Likes

Go to solution
David-P
L0 Member

‎04-12-2024 08:19 AM

running 11.1.2 and cant see the ID in pan or the firewall gui.

0 Likes Likes

Go to solution
CENSS01
L1 Bithead

‎04-12-2024 09:21 AM

We see the required Vulnerability ID in all PA Firewalls that have at least A&T version 8833-868. Ultimately, this can be added to the policy already protecting a GPVPN Zone...although, having a Universal, new, Sec. Policy at the top, encompassing this CVE, might not be a bad additional protection layer.

 

CENSS01_1-1712938167822.png

 

CENSS01_2-1712938741857.png

 

Go to solution
Tinkani
L1 Bithead

‎04-12-2024 09:57 AM - edited ‎04-12-2024 09:58 AM

I tried the following, and it work for me.

1. download > install 8833-8682
2. download > install / revert to 8832-8674
3. Revert to 8833-8682

Tin Kanitin
0 Likes Likes

Go to solution
CENSS01
L1 Bithead
In response to ymiyashita

‎04-12-2024 11:36 AM

A good review. 👌 Although, we cannot see a reason to have "revert" A&T version as suggested to see the required CVE ID?  The A&T version encompassing the required ID for this CVE, is already part of the latest, the only latest, A&T version available (as far as we can see in various support portals and Firewalls).  If the PA is set to better practices, such as download & install A&T every 30-45 minutes (except for environments that needs to test all A&T versions before deployment), the CVE ID in question should already be available without any required "fix" or "revert."  In fact, if the ID is missing, a manual install would be needed if the installed A&T version is not the latest shown .... as it seems to be the only latest A&T as of 11:00 PT today....so, if it's not already there, it should be installed, not reverted.

 

From the support portal:

CENSS01_1-1712946793327.png

 

From a PA Firewall:

CENSS01_2-1712946900898.png

 

 

 

0 Likes Likes

Go to solution
fuzzyraines
L0 Member

‎04-12-2024 02:15 PM

We noticed this problem also on PanOS 10.2.6. We were able to see the Threat ID when opening a new in-private browser instance or having a colleague check for it. Seems to be cosmetic.

0 Likes Likes

Go to solution
JBEHR
L1 Bithead

‎04-13-2024 11:28 AM

I had this issue on 10.2.7-h3, I installed 8834-8684 which came out yesterday and now its showing up in the Panorama Web GUI.

0 Likes Likes
  • 1 accepted solution
  • 6224 Views
  • 16 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks