ASB-2018.0222.2 - UPDATE [Appliance][PAN-OS] PAN-OS: Denial of service - Remote/unauthenticated 2018-10-25

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0222.2
                   PAN-OS is vulnerable to FragmentSmack
                              25 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          PAN-OS
Operating System: PAN-OS
                  Network Appliance
Impact/Access:    Denial of Service -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-5391 CVE-2018-5390 

Revision History: October   25 2018: Fixes added for PAN-OS 6.1.22 and 
                                     PAN-OS 8.0.13 and later. Updated list 
                                     of affected products
                  September 21 2018: Initial Release

OVERVIEW

        Palo-Alto has advised that PAN-OS is vulnerable to FragmentSmack 
        (CVE-2018-5391) but also advised that PAN-OS is not vulnerable to 
        SegmentSmack (CVE-2018-5390). [1 - 2]
        
        The following versions of PAN-OS are affected by FragmentSmack 
        (CVE-2018-5391):
        
        "PAN-OS 6.1.21 and earlier running on PA-200, PA-500, PA-2000 
        Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050. 
        PAN-OS 7.1.19 and earlier running on PA-200, PA-500, PA-2000 Series,
        PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 and PA-7080.
        PAN-OS 8.0.12 and earlier running on PA-200, PA-220, PA-500, PA-800
        Series, PA-3000 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, 
        PA-7050 and PA-7080. PAN-OS 8.1.4 and earlier running on PA-200, 
        PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 
        Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-5280, PA-7050
        and PA-7080." [1]


IMPACT

        Palo Alto has provided the following details regarding the issues:
        
        "Summary
        
        Palo Alto Networks is aware of recent vulnerability disclosure, 
        known as FragmentSmack, that affects Linux kernel 3.9 and later. At
        this time, our findings show that some Palo Alto Networks devices 
        running specific versions of PAN-OS are vulnerable to this 
        disclosure. (CVE-2018-5391). This security advisory will be updated
        as more information becomes available or if there are changes in the
        impact of these vulnerabilities. 
        
        Severity: Medium
        
        A flaw named FragmentSmack was found in the way the Linux kernel 
        handled reassembly of fragmented IPv4 and IPv6 packets. To exploit 
        this vulnerability a remote attacker could send specially crafted 
        packets that trigger time and calculation expensive fragment 
        reassembly algorithms and cause CPU saturation (a denial of service
        on the system). This only affects the Management Plane of PAN-OS." [1]


MITIGATION

        The following updates have been made available to fix FragmentSmack:
        
        "PAN-OS 6.1.22, PAN-OS 7.1.20 and later, and PAN-OS 8.0.13 and 
        later. We will update this security advisory as soon as fixes are 
        available for PAN-OS 8.1." [1]


REFERENCES

        [1] PAN-SA-2018-0012 Information about FragmentSmack findings
            https://securityadvisories.paloaltonetworks.com/Home/Detail/131

        [2] PAN-SA-2018-0013 Information about SegmentSmack findings
            https://securityadvisories.paloaltonetworks.com/Home/Detail/132

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9Fd6WaOgq3Tt24GAQiDAw/+LoypKRUiwRdBFvPo673x9Hf1kDRUDajE
nv4U6/0EwRlsxN7xQuNh/m17K8TNHvJMU75QLc9EMgDGu2p/Sy79B+xUO131sQiY
FYMnpdQZfTD3gprgg9nbNvSB2Dw4vQnnAj8a4RWNGrYuDE2Dg0pn93N40/tG2IFe
t7H8f4YylYdxZb6tBZNzWJkwaZle/y+Eu82kIWbWsPObFq0Krf8gJKUghocnHw0/
PllsRnoGZ1aMz6ixOewTkTHOdQtjMMttRKKqRCukphRZ4BvNosUXgispZW2tjVXX
oeOMgwqyAV6z1AnlgH7zlrlITjKLnPsfkxu/TfR6Ra6KB2fSHta9uKv5enKQzMME
8vsq6XYQPJREZd636XdzyX+Bkd2SmZtzkcXOP4gV3C5B+Bp1WBk0+DexS9ccLPRq
gk+tv4VrzkvqHsHBFocHb2jNCkXpycSbIKiyvwI8TW4eCFde7+8fCtynGbyGIY5P
4oVsiGtjv6TW/cbt8NAWqIvbgIZRxrtWvGssCMz+8kBSJ2CB7Pywe9bA92lL2I5U
LsWaE3mSPsM60ooQTBksfcKBjcrlaL70388JFPYdyHhzJAX3+L1mzScx1n+AW1Zq
UWKmz9AZigxeqZ63e/nl20MQ4L+yP4ffoFO1M1eEoWkagfbgLZMO4TzrnocB3DHr
n9LkoPZsr0M=
=Do6m
-----END PGP SIGNATURE-----

« Back to bulletins