ASB-2018.0222.3 - UPDATE [Appliance][PAN-OS] PAN-OS: Denial of service - Remote/unauthenticated - 2018-11-30


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0222.3
                   PAN-OS is vulnerable to FragmentSmack
                             30 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          PAN-OS
Operating System: PAN-OS
                  Network Appliance
Impact/Access:    Denial of Service -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-5391 CVE-2018-5390 

Revision History: November  30 2018: Fixes available for PAN-OS 8.1
                  October   25 2018: Fixes added for PAN-OS 6.1.22 and PAN-OS 8.0.13 and later. Updated list of affected products
                  September 21 2018: Initial Release

OVERVIEW

        Palo-Alto has advised that PAN-OS is vulnerable to FragmentSmack 
        (CVE-2018-5391) but also advised that PAN-OS is not vulnerable to 
        SegmentSmack (CVE-2018-5390). [1 - 2]
        
        The following versions of PAN-OS are affected by FragmentSmack 
        (CVE-2018-5391):
        
        "PAN-OS 6.1.21 and earlier running on PA-200, PA-500, PA-2000 
        Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050. 
        PAN-OS 7.1.19 and earlier running on PA-200, PA-500, PA-2000 Series,
        PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 and PA-7080.
        PAN-OS 8.0.12 and earlier running on PA-200, PA-220, PA-500, PA-800
        Series, PA-3000 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, 
        PA-7050 and PA-7080. PAN-OS 8.1.4 and earlier running on PA-200, 
        PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 
        Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-5280, PA-7050
        and PA-7080." [1]


IMPACT

        Palo Alto has provided the following details regarding the issues:
        
        "Summary
        
        Palo Alto Networks is aware of recent vulnerability disclosure, 
        known as FragmentSmack, that affects Linux kernel 3.9 and later. At
        this time, our findings show that some Palo Alto Networks devices 
        running specific versions of PAN-OS are vulnerable to this 
        disclosure. (CVE-2018-5391). This security advisory will be updated
        as more information becomes available or if there are changes in the
        impact of these vulnerabilities. 
        
        Severity: Medium
        
        A flaw named FragmentSmack was found in the way the Linux kernel 
        handled reassembly of fragmented IPv4 and IPv6 packets. To exploit 
        this vulnerability a remote attacker could send specially crafted 
        packets that trigger time and calculation expensive fragment 
        reassembly algorithms and cause CPU saturation (a denial of service
        on the system). This only affects the Management Plane of PAN-OS." [1]


MITIGATION

        The following updates have been made available to fix FragmentSmack:
        
        "PAN-OS 6.1.22, PAN-OS 7.1.20 and later, PAN-OS 8.0.13 and later, and 
        PAN-OS 8.1.5 and later." [1]


REFERENCES

        [1] PAN-SA-2018-0012 Information about FragmentSmack findings
            https://securityadvisories.paloaltonetworks.com/Home/Detail/131

        [2] PAN-SA-2018-0013 Information about SegmentSmack findings
            https://securityadvisories.paloaltonetworks.com/Home/Detail/132

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXADFz2aOgq3Tt24GAQg+QRAAh8Qz4N9T/9oU/wI4MX9ur/Gf7bvSE50u
h0gSYyDuCkc00BDRauZpO60hSlyr86eYlhgIQUOzpBMVj8hGTMKkoWaw3b/uGRbv
8CzbemrN7SOhTAIZR2s4KZ1/UAaV2s7NtfbdBEpN1ZrNCFJbWZRjNRO2DgpaTrzP
C47z3DXlF0FSEtIGcAT6AiGHW1QU7SiHehc7Xlth1Af8j9pgtemjWYXDi84c6nyF
OBQwDknPhvFBawGrHu08JglnaQ0jen36pqvHPdE0t3dvqhd0LqkgcXX2kHWZ6FsN
6Ca1UD1gqaQUKXyuuusaMTwBmeNfJE/yri+2LbfN8o9SnOLC6InYN7tr9tYb++/6
6bf8eMKYK9v8OLQUKaXoRKbJ84WQuaIgeXQgDwCdoxNiyD6QZeUWXOoDaoREn2Cq
8C+7NxecUrH3LCSNNaTVODU+ato82ovHDGfBGBYtSKF01MY3jN9a4b9tsT5JO/Zf
xN4El7KOO2JGlkInFIbn9rRatq/x/cD8LwOLb3gUlPqtd3GfZ/n1oaVxqmCjozQ0
/kBj+VXIENn8w33pFloaYWDHvx/DwSQg8OQ+TREPyr0y2q7zRxTwuZJu6JjEkUpM
iJXsTKdTgnGJJgpS2NJt2DoZMHcODZcgkiyvrhgRQK1VixpeL3c9xIakZ5nIjXpx
ZI+kr9IyUBE=
=02uF
-----END PGP SIGNATURE-----