-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0010
              A vulnerability has been identified in PAN-OS.
                              11 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              PAN-OS
Operating System:     Network Appliance
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-15940  
Member content until: Saturday, February 10 2018

OVERVIEW

        A vulnerability has been identified in PAN-OS. The following 
        versions of PAN-OS are affected: PAN-OS 6.1.18 and earlier, PAN-OS 
        7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.6 and 
        earlier.


IMPACT

        Palo Alto has provided the following details regarding the issues:
        
        "Summary
        
        A vulnerability exists in the PAN-OS web interface packet capture 
        management that could allow an authenticated user to inject 
        arbitrary commands. (Ref # PAN-81892 / CVE-2017-15940)
        
        Severity: High
        
        PAN-OS contains a vulnerability that may allow for post 
        authentication command injection." [1]


MITIGATION

        The following updates have been made available:
        
        PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and
        later, PAN-OS 8.0.6-h3 and later
        
        Palo Alto has also given the following workaround and mitigations:
        
        Palo Alto Networks has released content update 765 including 
        vulnerability signatures #30998 that can be used as an interim 
        mitigation to protect PAN-OS devices until the device software is 
        upgraded. Note that signatures 30998 must be applied to a firewall 
        rule securing traffic destined for the Management interface. This 
        issue affects the management interface of the device and is strongly
        mitigated by following best practices for the isolation of 
        management interfaces for security appliances. We recommend that the
        management interface be isolated and strictly limited only to 
        security administration personnel through either network 
        segmentation or using the IP access control list restriction feature
        within PAN-OS. An alternative mitigation includes the use of a 
        Panorama central manager and disabling of http and https management
        on each of the vulnerable appliance, then use the Panorama context 
        switching feature to remotely access the web interface of the 
        device.


REFERENCES

        [1] PAN-OS Security Advisory
            https://securityadvisories.paloaltonetworks.com/Home/Detail/105

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWlanSox+lLeg9Ub1AQheMA//X5lGX/G+PSxpar1s2Dt3oreVzSaZynte
64CcDY66f3ohHSkFvaPnEcuLKnsx8IahGyrhoTLHeXX/FviMqHnLRWoR0CqiPkrK
h6fgvoF9RN+8hfCbOVGAjTZAve2COFa4ByWDo6LyVeM5kJsfWiN91+Rbv6lgFg0m
D9hnOQdtGbgwyjP9Uwr7MogqK0H4ZV3t36G9wrKSJWQHvO0JyHgbgQ12LicNiP+y
Pr6tb7Xmkun7O07xwazHFxH18L3aZfO5k23q9PSqQltXibJtcR9uFF1Mmi8PjjhZ
N8BAV/XPSNIbxQ1c8e0a14Xvr3IXa90nEQn2bSyRCbEDJxbGXYGEl0MRB+OQZuXE
FH7alHU+FJPXyZfEGVyfAX59LahPcLR7PLuEaorEw07AlCa32v0SzA9cEg59EiKe
Y8e4SyXgBKLlDpr9Pi9hOnhl09fawkEK97dXXCCz7vegFpNk77xaY7QWpI7/29xP
77QTJyErbKt6uVILzeweieqwy7MjQuIAXswODmKTNx8602NvEhd3zTRTjfbwVMQ9
+m/FaLlBk+U9VOQXV6McnVeW2I5wNPLVgMVpUT3DQsUl+lh5S/3MPw1DLP3G5kYv
QsgoB7GbKneNuQvz8Dc+lyN95JQN9cM2Erv/5ijWRRejCdXjIAyWk+4b1ndsHyrN
PsuYnb+980s=
=FbxL
-----END PGP SIGNATURE-----