Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0217
Remote code execution patched in Palo Alto firewalls
15 December 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PAN-OS
Operating System: Network Appliance
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-15944
Member content until: Sunday, January 14 2018
OVERVIEW
Through the exploitation of a combination of unrelated vulnerabilities,
and via the management interface of the device, an attacker could
remotely execute code on PAN-OS in the context of the highest
privileged user. [1]
(Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944)
IMPACT
The vendor has provided the following details regarding the issue:
"PAN-OS contains multiple vulnerabilities that, when exploited in
conjunction could lead to remote code execution
prior to authentication." [1]
MITIGATION
The vendor recommends updating to PAN-OS releases
6.1.19, 7.0.19, 7.1.14, and 8.0.6 to correct the issue. [1]
The vendor also advises:
"Palo Alto Networks has released content update 756 including
vulnerability signatures #40483 and #40484 that can be used as
an interim mitigation to protect PAN-OS devices until the device
software is upgraded. Note that signatures 40483 and 40484 must be
applied to a firewall rule securing traffic destined for the
Management interface. This issue affects the management interface
of the device and is strongly mitigated by following best practices
for the isolation of management interfaces for security appliances.
We recommend that the management interface be isolated and strictly
limited only to security administration personnel through either
network segmentation or using the IP access control list restriction
feature within PAN-OS." [1]
REFERENCES
[1] Vulnerability in PAN-OS on Management Interface
https://securityadvisories.paloaltonetworks.com/Home/Detail/102
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWjNZ3Yx+lLeg9Ub1AQhkKg//cuiKlLdWaNPf5pLeiTD8/1ZaIKj2rVHz
Ow3sJ04T8XOSI7n9eM20Ey0d//3boUMxb9P5tIyMxtvYBB2wOCozdcBiii3Jb0DQ
yU7MfGa/Z7/KRnLEAw2+qC1uY0xnGEThDjflFlH0S+p3wFfvFwVXIMwu/fzgwVQ9
DUiQkGJydjCKOiJ0CVAfM8xnXpO9yDutPk5LV3cdAaFPgsnWrqs1JSrQ02j3vzRo
AyUV9NP1a1myZWDXAupIY8KiD9mRI9aL9DM4KfLxGUO7/fKMjoKj4UuDJh4jLSph
Z+4JmuDZkPl2+iVF76loJjeiqC5vq0JmpzcNkh6BoOKfudI3AZwss2qTF0MNT7Hb
V9Re5H0FTdyVbRAnhNTBfdY5nPyrKs9QMhnBuW7YP4AOhsGTNR714EOKJAyTf9vJ
sKLEl4b44XuMFfuG+4Av5G6HGGAqnW5/yNHTzBs5KIJ7T0sBi9uYvMV8pgevgymF
Ug00E66PNThPHyXNv4sOEHFE5T2dpxK4Fm79W/+CtzhpS7LQW+Vl5xyve8WQhEAx
ViRjoAiY+POqWmoAiRWIBMH6G3Bw1XFHt5abMEIettIhsDFtnMGvNSZ7mwEfvf19
CxJBvJyQX/vPQbOOkXTKk/jcZ4Sb7BxPrA20+QxROtMym7u7RF+CLdcLw1F3tApS
X/ND7iS0+Yk=
=dW6P
-----END PGP SIGNATURE-----