Palo Alto Networks Security Advisory (PAN-SA-2016-0002) to (PAN-SA-2016-0005)

Palo Alto Networks Security Advisory (PAN-SA-2016-0002) to (PAN-SA-2016-0005)

 

Dear Teneo Customer,

Palo Alto Networks have recently issued a Security Advisory to address certain vulnerabilities in its products.

The advisories are:

PAN-SA-2016-0005 (Severity: Critical)

PAN-SA-2016-0003 (Severity: High)

PAN-SA-2016-0004 (Severity: Medium)

PAN-SA-2016-0002 (Severity: Low)

________________________________________________________________________________________________________________________

Palo Alto Networks Security Advisory (PAN-SA-2016-0005)

Unauthenticated Buffer Overflow in GlobalProtect/SSL VPN Web Interface

Posted: 24/02/2016

Summary

When a PAN-OS device is configured as a GlobalProtect portal, a vulnerability exists where an improper handling of a buffer involved in the processing of SSL VPN requests can result in device crash and possible remote code execution. (Ref. #89752)

Severity: Critical

An attacker with network access to the vulnerable GlobalProtect portal may be able to perform a denial-of-service (DoS) attack on the device, and may be able to perform remote code execution on the affected device.

Products Affected

PAN-OS releases 5.0.17, 6.0.12, 6.1.9, 7.0.4 and prior

Available Updates

PAN-OS releases 5.0.18, 6.0.13, 6.1.10 and 7.0.5 and newer

Workarounds and Mitigations

Emergency content update 563 contains an IPS signature (#38902) that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 38902 must be applied to a firewall rule securing traffic destined for the GlobalProtect portal. The GlobalProtect portal should only be present once per installation, limiting the organization’s exposure to this issue. This issue can be further mitigated by disabling the affected optional “login page” in the GlobalProtect portal configuration, and distribution of the client side software may be performed through alternative means such as GPO or network share while the PAN-OS patch is applied.

________________________________________________________________________________________________________________________

Palo Alto Networks Security Advisory (PAN-SA-2016-0003)

Unauthenticated Command Injection in Management Web Interface

Posted: 24/02/2016

Summary

Palo Alto Networks PAN-OS implements an API to enable programmatic device configuration and administration of the device. An issue was identified where the management API incorrectly parses input to a specific API call, leading to execution of arbitrary OS commands without authentication via the management interface. (Ref. #89717)

Severity: High

This issue can be exploited remotely by an unauthenticated user with network access to the device management web-based API

Products Affected

PAN-OS releases 5.0.17, 6.0.12, 6.1.9, 7.0.4 and prior

Available Updates

PAN-OS releases 5.0.18, 6.0.13, 6.1.10 and 7.0.5 and newer

Workarounds and Mitigations

Emergency content update 563 contains an IPS signature (#38904) that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 38904 must be applied to a firewall rule securing traffic destined for the device management web interface, and decryption must be applied. This issue is further mitigated by following security appliance management best practices, requiring that network access to the management interfaces be isolated and strictly limited only to security administration personnel.

________________________________________________________________________________________________________________________

Palo Alto Networks Security Advisory (PAN-SA-2016-0004)

Unauthenticated Stack Exhaustion in GlobalProtect/SSL VPN Web Interface

Posted: 24/02/2016

Summary

When a PAN-OS device is configured as a GlobalProtect web portal, a specially crafted request to the portal could result in a crash of the service. (Ref. #89750)

Severity: Medium

This issue can be exploited remotely by an attacker with network access to the GlobalProtect portal in order to cause a denial-of-service (DoS) via a service crash.

Products Affected

PAN-OS releases 5.0.17, 6.0.12, 6.1.9, 7.0.5 and prior

Available Updates

PAN-OS releases 5.0.18, 6.0.13, 6.1.10 and 7.0.5H2 and newer

Workarounds and Mitigations

Emergency content update 563 contains an IPS signature (#38903) that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 38903 must be applied to a firewall rule securing traffic destined for the GlobalProtect portal. The GlobalProtect portal should only be present once per installation, limiting the organization’s exposure to this issue. This issue can be further mitigated by disabling the affected optional “login page” in the GlobalProtect portal configuration, and distribution of the client side software may be performed through alternative means such as GPO or network share while the PAN-OS patch is applied.

________________________________________________________________________________________________________________________

Palo Alto Networks Security Advisory (PAN-SA-2016-0002)

Posted: 24/02/2016

Command Injection in Command Line Interface

Summary

Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges. (Ref #89706)

Severity: Low

This vulnerability is exploitable only by authenticated administrators that are granted access to the device management CLI.

Products Affected

PAN-OS releases 5.0.17, 5.1.10, 6.0.12, 6.1.9, 7.0.5 and prior

Available Updates

PAN-OS releases 5.0.18, 5.1.11, 6.0.13, 6.1.10 and 7.0.5H2 and newer

Workarounds and Mitigations

This issue only affects authenticated device users and Panorama users with CLI access enabled. Deployments making use of Role-Based Access Control (RBAC) do not offer CLI access by default. As a best practice, CLI access should be carefully considered, and granted only when necessary to privileged administrators.

________________________________________________________________________________________________________________________

What if I need help?

If you have any questions regarding this notification please don’t hesitate to reach out to us, or visit our support portal. 

You can contact us on our 24 x 7 support number or mail us support@teneo.net

EMEA:  +44 (0)845 299 0623
US:  +1 877 836 3610
APAC:  +61 1800 765 389

Thanks

Teneo Support