ASB-2017.0217 - ALERT [Appliance] PAN-OS: Administrator compromise - Remote/unauthenticated 2017-12-15

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0217
           Remote code execution patched in Palo Alto firewalls
                             15 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              PAN-OS
Operating System:     Network Appliance
Impact/Access:        Administrator Compromise -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-15944  
Member content until: Sunday, January 14 2018

OVERVIEW

        Through the exploitation of a combination of unrelated vulnerabilities,
        and via the management interface of the device, an attacker could
        remotely execute code on PAN-OS in the context of the highest
        privileged user. [1]
        
        (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944)


IMPACT

        The vendor has provided the following details regarding the issue:
        
        "PAN-OS contains multiple vulnerabilities that, when exploited in
        conjunction could lead to remote code execution
        prior to authentication." [1]


MITIGATION

        The vendor recommends updating to PAN-OS releases
        6.1.19, 7.0.19, 7.1.14, and 8.0.6 to correct the issue. [1]
        
        The vendor also advises:
        "Palo Alto Networks has released content update 756 including
        vulnerability signatures #40483 and #40484 that can be used as
        an interim mitigation to protect PAN-OS devices until the device
        software is upgraded. Note that signatures 40483 and 40484 must be
        applied to a firewall rule securing traffic destined for the
        Management interface. This issue affects the management interface
        of the device and is strongly mitigated by following best practices
        for the isolation of management interfaces for security appliances.
        We recommend that the management interface be isolated and strictly
        limited only to security administration personnel through either
        network segmentation or using the IP access control list restriction
        feature within PAN-OS." [1]


REFERENCES

        [1] Vulnerability in PAN-OS on Management Interface
            https://securityadvisories.paloaltonetworks.com/Home/Detail/102

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjNZ3Yx+lLeg9Ub1AQhkKg//cuiKlLdWaNPf5pLeiTD8/1ZaIKj2rVHz
Ow3sJ04T8XOSI7n9eM20Ey0d//3boUMxb9P5tIyMxtvYBB2wOCozdcBiii3Jb0DQ
yU7MfGa/Z7/KRnLEAw2+qC1uY0xnGEThDjflFlH0S+p3wFfvFwVXIMwu/fzgwVQ9
DUiQkGJydjCKOiJ0CVAfM8xnXpO9yDutPk5LV3cdAaFPgsnWrqs1JSrQ02j3vzRo
AyUV9NP1a1myZWDXAupIY8KiD9mRI9aL9DM4KfLxGUO7/fKMjoKj4UuDJh4jLSph
Z+4JmuDZkPl2+iVF76loJjeiqC5vq0JmpzcNkh6BoOKfudI3AZwss2qTF0MNT7Hb
V9Re5H0FTdyVbRAnhNTBfdY5nPyrKs9QMhnBuW7YP4AOhsGTNR714EOKJAyTf9vJ
sKLEl4b44XuMFfuG+4Av5G6HGGAqnW5/yNHTzBs5KIJ7T0sBi9uYvMV8pgevgymF
Ug00E66PNThPHyXNv4sOEHFE5T2dpxK4Fm79W/+CtzhpS7LQW+Vl5xyve8WQhEAx
ViRjoAiY+POqWmoAiRWIBMH6G3Bw1XFHt5abMEIettIhsDFtnMGvNSZ7mwEfvf19
CxJBvJyQX/vPQbOOkXTKk/jcZ4Sb7BxPrA20+QxROtMym7u7RF+CLdcLw1F3tApS
X/ND7iS0+Yk=
=dW6P
-----END PGP SIGNATURE-----

« Back to bulletins