Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0217 Remote code execution patched in Palo Alto firewalls 15 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-15944 Member content until: Sunday, January 14 2018 OVERVIEW Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS in the context of the highest privileged user. [1] (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944) IMPACT The vendor has provided the following details regarding the issue: "PAN-OS contains multiple vulnerabilities that, when exploited in conjunction could lead to remote code execution prior to authentication." [1] MITIGATION The vendor recommends updating to PAN-OS releases 6.1.19, 7.0.19, 7.1.14, and 8.0.6 to correct the issue. [1] The vendor also advises: "Palo Alto Networks has released content update 756 including vulnerability signatures #40483 and #40484 that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 40483 and 40484 must be applied to a firewall rule securing traffic destined for the Management interface. This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS." [1] REFERENCES [1] Vulnerability in PAN-OS on Management Interface https://securityadvisories.paloaltonetworks.com/Home/Detail/102 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWjNZ3Yx+lLeg9Ub1AQhkKg//cuiKlLdWaNPf5pLeiTD8/1ZaIKj2rVHz Ow3sJ04T8XOSI7n9eM20Ey0d//3boUMxb9P5tIyMxtvYBB2wOCozdcBiii3Jb0DQ yU7MfGa/Z7/KRnLEAw2+qC1uY0xnGEThDjflFlH0S+p3wFfvFwVXIMwu/fzgwVQ9 DUiQkGJydjCKOiJ0CVAfM8xnXpO9yDutPk5LV3cdAaFPgsnWrqs1JSrQ02j3vzRo AyUV9NP1a1myZWDXAupIY8KiD9mRI9aL9DM4KfLxGUO7/fKMjoKj4UuDJh4jLSph Z+4JmuDZkPl2+iVF76loJjeiqC5vq0JmpzcNkh6BoOKfudI3AZwss2qTF0MNT7Hb V9Re5H0FTdyVbRAnhNTBfdY5nPyrKs9QMhnBuW7YP4AOhsGTNR714EOKJAyTf9vJ sKLEl4b44XuMFfuG+4Av5G6HGGAqnW5/yNHTzBs5KIJ7T0sBi9uYvMV8pgevgymF Ug00E66PNThPHyXNv4sOEHFE5T2dpxK4Fm79W/+CtzhpS7LQW+Vl5xyve8WQhEAx ViRjoAiY+POqWmoAiRWIBMH6G3Bw1XFHt5abMEIettIhsDFtnMGvNSZ7mwEfvf19 CxJBvJyQX/vPQbOOkXTKk/jcZ4Sb7BxPrA20+QxROtMym7u7RF+CLdcLw1F3tApS X/ND7iS0+Yk= =dW6P -----END PGP SIGNATURE-----