ASB-2018.0035.2 - UPDATE [Appliance] Palo Alto PAN-OS: Access privileged data - Remote/unauthenticated 2018-03-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0035.2
          A vulnerability has been identified in Palo Alto PAN-OS
                               14 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Palo Alto PAN-OS
Operating System: Network Appliance
Impact/Access:    Access Privileged Data         -- Remote/Unauthenticated
                  Provide Misleading Information -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2017-17841  

Revision History: March   14 2018: Updated source text with patched versions
				   & mitigation
                  January 18 2018: Initial Release

OVERVIEW

        A vulnerability has been identified in Palo Alto PAN-OS prior to 
        version 7.1.15 and 8.0.7. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        "ROBOT is an attack that affects the TLS RSA key exchange and could
        lead to decryption of captured sessions if the TLS server originally
        serving said captured session is still alive, vulnerable and using 
        the same private key. (PAN-89936 / CVE-2017-17841)" [1]


MITIGATION

        The vendor recommends users upgrade to the latest versions of PAN-OS to 
        address this issue, comprising 6.1.20, 7.1.15 and 8.0.7. [1]
        
        The vendor also advises a mitigation:
        "Customers running PAN-OS 7.1 or later can configure their SSL
        Decryption profiles to disable RSA. If the GlobalProtect server
        certificate is using RSA, customers running PAN-OS 7.1 or later
        can opt to replace this certificate with one implementing the
        Elliptic Curve DSA algorithm as a safer alternative. In addition,
        Palo Alto Networks has released content update 757 which includes a
        vulnerability signature ("TLS Network Security Protocol Information
        Disclosure Vulnerability - ROBOT", #38407) that can be used as an
        interim mitigation to protect PAN-OS devices until the software is
        upgraded. For complete protection, signature #38407 must be applied
        upstream from any interfaces implementing SSL Decryption, or hosting
        a GlobalProtect portal or a GlobalProtect gateway." [1]


REFERENCES

        [1] Palo Alto bulletin: (high) ROBOT attack against PAN-OS
            (PAN-SA-2017-0032)
            https://securityadvisories.paloaltonetworks.com/Home/Detail/117

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqib3ox+lLeg9Ub1AQhk8RAAi3s7kqd1fZ+qrafGsUUe1YRAXw7Xg2ZT
uXyBwWQoXWfg8ZdXWuyr9GsZY3GGxtOU1gst9vf8KsAj4Qf8W/hqPmaKjbMxQp3B
6e354x58R/oqKiEt4S2bxSMkQd+/PX1A8eAqVsqN5eEfP+08bzwBWtr2281DvC6K
bMm04j8EoQAsB2zYR/Z5e+VLl5yqfqrnDT/Y1gcDFgHsCDcDa86OKlxe01vWHGCT
b/xqMiTVmN4il5KcoQvC5p6FZsboJ8AZd8Bwtb4QSbqKU/o65C2dkBNEFNoUV+Yc
sgh8041B63/+R1csmx8SrQ8tnZdwkA+nBbznNnE2fHhuN4YDwIEjnKqMuzGBq+VA
cMOuMLg/EtRY9BVdLpX+R7DnC3p4h1SyZKFOaEv544q6S51VDxXHtrxUUkCbpptI
eO3vmJ/B0ZV8jBZfiU64t1qk/dhxQN6gbEc5nIEF2od2QjuzoUIcJDDC6ZAqfAmB
1KnWjDNdwLrTtm+wJKK2ltnK9M6AUs/xy/yh/KqpuVtgVbCm042eaHSv9vr7Ory6
AIzm/xkTeWu1DsLU6j4BGNelWHHschX4j00xdz58Bro0hjPUKEgtZzq/6JKe1s6k
D6q8MPuo3pMMkAR6hanmtutaWfX/CbcxWC29Fbu1qW/8qpxDbe7pxAa4BtDguMPj
Bt0jAJd8bes=
=y18w
-----END PGP SIGNATURE-----

« Back to bulletins