-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0241.3
                    PAN-SA-2018-0015 OpenSSL in PAN-OS
                             21 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Palo Alto PAN-OS
Operating System: PAN-OS
Impact/Access:    Access Privileged Data -- Existing Account      
                  Denial of Service      -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-0739 CVE-2018-0737 CVE-2018-0732
Reference:        ASB-2018.0180
                  ASB-2018.0118
                  ASB-2018.0113
                  ESB-2018.3049
                  ESB-2018.2944
                  ESB-2018.2941

Revision History: November 21 2018: Updated mitigation section
                  October  25 2018: Updated list of affected products and 
                                    information on available patches
                  October  12 2018: Initial Release

OVERVIEW

        Palo Alto Networks has addressed vulnerabilities from the third 
        party software OpenSSL in the following versions:
        
        o PAN-OS 6.1.20 and earlier,
        
        o PAN-OS 7.1.20 and earlier,
        
        o PAN-OS 8.0.13 and earlier,
        
        o PAN-OS 8.1.3 and earlier
        
        o WF-500 running WF-500 software versions PAN-OS 6.1.20 and earlier
        PAN-OS 7.1.20 and earlier, PAN-OS 8.0.13 and earlier, and PAN-OS 
        8.1.3 and earlier [1]


IMPACT

        The vendor provided the following detail on the vulnerability:
        
        "The OpenSSL library has been found to contain vulnerabilities 
        CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739" [1]
        
        "The OpenSSL library in use by PAN-OS is patched on a regular 
        basis." [1]


MITIGATION

        There are updates available for the following versions of PAN-OS:
        
        o PAN-OS 7.1.21 and later, 
        o PAN-OS 8.0.14 and later, 
        o PAN-OS 8.1.4 and later, 
        o WF-500 running WF-500 software version 8.0.14 and later, 
        o WF-500 running WF-500 software version 8.1.4 and later. 
        
        The vendor states that PAN-OS 6.1 will NOT have a fix. [1]
        
        The vendor states that:
        
        "For WF-500 software versions 7.1 and earlier, please consult the
        WildFire Administrator's Guide for steps to upgrade the software." 
        [1]


REFERENCES

        [1] PAN-SA-2018-0015 OpenSSL in PAN-OS
            https://securityadvisories.paloaltonetworks.com/Home/Detail/133

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/UDTGaOgq3Tt24GAQhKABAA2sn28VyzePejHGiXjmU3Bhu0B5QAGmPf
hztHjtpAQNemiWC7tQoQqVoIIhcibp6IydqEOCYe7spm45zP6QYCg6+jVn2D8/kZ
1wfBKrxh3FULYJPsn6NqD6l7CqH8RIRNz+VNUHEk9gu1VBXO2H0wHP6REmCdiH/C
YEt+gIrOQzz98/mM0vsg3nrx83tXCv2+H8bM7y6bO4Q5GRbRcZPVNkrrPl245M32
ke2UG81gfykpfm9aeG7ILS2O0I1eGAqex0zb5GMjbLFfKPh27ZefIHxmsPVlho5j
UzWOwxAa/29MuBMc9rwqM3ZIzJwRAmtuqfCrdyb8jwFpiqS76BmaT3QMN5MGxDXj
jSnT5EQCPGsdVlkr+hyHKfwdkfWDLalbFvcqvZVdKsJsPY1d7LRlN9Cg+f9jQAmo
BbBBjyb1M6BWKJMUD2X8Ett/jyG9I22uwMMFxuoLzgMOYWoMk9JR/TVdgAfqq4wk
ghpakjYZ73q1oT0yJuOUHQ9+KPDCb+xjXPn0V417TSCB8EMjkGYYPP4bq5dDmsk5
kMSH4iXme0uFXn/i0zSgs/Ec+K4vta2qfvn/r6vXQtn788r10ADh4ccDlwZZhyKt
SStXUohBCbuTjaouFB+vvh/f1209d/0PbLJwcWySeKyK63+iSAHwkwnF8dkbMiim
+6/etQ5v7KY=
=p2rl
-----END PGP SIGNATURE-----