-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0136
     Multiple vulnerabilities have been identified in Palo Alto PAN-OS
                              31 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Palo Alto PAN-OS
Operating System:     PAN-OS
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
                      Unauthorised Access             -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-12416 CVE-2017-9458 CVE-2017-6460
Member content until: Saturday, September 30 2017
Reference:            ESB-2017.1681
                      ESB-2017.0973

OVERVIEW

        Multiple vulnerabilities have been identified in PAN-OS prior to 
        versions 6.1.18, 7.0.17, 7.1.12 and 8.0.4. [1-3]


IMPACT

        The vendor has provided the following details regarding the issues:
        
        "A vulnerability exists in PAN-OS's GlobalProtect external interface
        that could allow for XML External Entity (XXE) attack. PAN-OS does 
        not properly parse XML input. (Ref # PAN-75688 / CVE-2017-9458)
        
        Successful exploitation of this issue may allow disclosure of 
        information, denial of service or server side request forgery." [1]
        
        "A vulnerability exists in PAN-OS's GlobalProtect external interface
        that could allow for a cross-site scripting (XSS) attack. PAN-OS 
        does not properly validate specific request parameters. (Ref # 
        PAN-76003 / CVE-2017-12416)
        
        Successful exploitation of this issue may allow an attacker to 
        inject arbitrary Java script or HTML." [2]
        
        "The Network Time Protocol (NTP) library has been found to contain a
        vulnerability CVE-2017-6460. Palo Alto Networks software makes use 
        of the vulnerable library and may be affected. This issue only 
        affects the management plane of the firewall. (Ref # PAN-76130 / 
        CVE-2017-6460)
        
        Successful exploitation of this issue requires an attacker to be on
        the management interface." [3]


MITIGATION

        The vendor recommends updating to PAN-OS releases 6.1.18, 7.0.17, 
        7.1.12 and 8.0.4 to correct the issues. [1-3]


REFERENCES

        [1] XML External Entity (XXE) in PAN-OS
            https://securityadvisories.paloaltonetworks.com/Home/Detail/94

        [2] Cross-Site Scripting in PAN-OS
            https://securityadvisories.paloaltonetworks.com/Home/Detail/93

        [3] NTP Vulnerability
            https://securityadvisories.paloaltonetworks.com/Home/Detail/92

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWadl84x+lLeg9Ub1AQi5ZA/+MRxUy7gDo3LjPZgPn8qK0Nu5laSpZjss
lkf5btUyipqt01AL4E18FHayuqMeKDX1rgZu35w150tKW3zRDLWkS365NQldZtN9
7TH838c8K5vjo67vWiLl+W/6xButwdUdhcSl0Y8LkzkByZVEs1jirffi+Lfvp+E5
2ZrPC8e1kYKftjBNc2u4yPzhqPKtrYXEWp5ludPTWtDkU60kyhmEBm6IgpaINjtL
ICZ0IS2Hz9MT96dnYK/GkIbzqe4TlBr04A2DcpzWEWY50OTfI+t/kI7Fr7Z0xd78
ftHPDSffYgXEV93ZNVPWb6RxYB9O91aCEpnbtJC9JLZuOYcHzshVWkDaBnJENWnk
7eSD+hYLdOL7iSPjOYB3ELbw+fA/+NpkVaBg0qOul+MihnwmYtm+SbYU8S5fd29c
SMRYtbWa29BpDGEsclcZfusyVvtEfmjHz0x0C8OSe6apBw+tPZlOxfKL77HTojvA
OjVUsbKASjsqZuOgnHHGfiRvbW6bH0nXfu3fZBlR/SR+ENLkQHiYczOcjZSVAbZQ
R31CuI/6I/ZD8hMsaIkcAE7/WxVXKqvkU5XVbqCYBGkpj1DzlJXuZUvIjbQBsIkg
RgBwDSE/FapBJxeKszFll8AL6Pmi99K4Um3I4gM4d6Om9p6roPxS2cpOjqlC4SLq
4zYjbPZoFpc=
=lUMp
-----END PGP SIGNATURE-----