Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0222.3 PAN-OS is vulnerable to FragmentSmack 30 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Operating System: PAN-OS Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-5391 CVE-2018-5390 Revision History: November 30 2018: Fixes available for PAN-OS 8.1 October 25 2018: Fixes added for PAN-OS 6.1.22 and PAN-OS 8.0.13 and later. Updated list of affected products September 21 2018: Initial Release OVERVIEW Palo-Alto has advised that PAN-OS is vulnerable to FragmentSmack (CVE-2018-5391) but also advised that PAN-OS is not vulnerable to SegmentSmack (CVE-2018-5390). [1 - 2] The following versions of PAN-OS are affected by FragmentSmack (CVE-2018-5391): "PAN-OS 6.1.21 and earlier running on PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050. PAN-OS 7.1.19 and earlier running on PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 and PA-7080. PAN-OS 8.0.12 and earlier running on PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-7050 and PA-7080. PAN-OS 8.1.4 and earlier running on PA-200, PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-5280, PA-7050 and PA-7080." [1] IMPACT Palo Alto has provided the following details regarding the issues: "Summary Palo Alto Networks is aware of recent vulnerability disclosure, known as FragmentSmack, that affects Linux kernel 3.9 and later. At this time, our findings show that some Palo Alto Networks devices running specific versions of PAN-OS are vulnerable to this disclosure. (CVE-2018-5391). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities. Severity: Medium A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. To exploit this vulnerability a remote attacker could send specially crafted packets that trigger time and calculation expensive fragment reassembly algorithms and cause CPU saturation (a denial of service on the system). This only affects the Management Plane of PAN-OS." [1] MITIGATION The following updates have been made available to fix FragmentSmack: "PAN-OS 6.1.22, PAN-OS 7.1.20 and later, PAN-OS 8.0.13 and later, and PAN-OS 8.1.5 and later." [1] REFERENCES [1] PAN-SA-2018-0012 Information about FragmentSmack findings https://securityadvisories.paloaltonetworks.com/Home/Detail/131 [2] PAN-SA-2018-0013 Information about SegmentSmack findings https://securityadvisories.paloaltonetworks.com/Home/Detail/132 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXADFz2aOgq3Tt24GAQg+QRAAh8Qz4N9T/9oU/wI4MX9ur/Gf7bvSE50u h0gSYyDuCkc00BDRauZpO60hSlyr86eYlhgIQUOzpBMVj8hGTMKkoWaw3b/uGRbv 8CzbemrN7SOhTAIZR2s4KZ1/UAaV2s7NtfbdBEpN1ZrNCFJbWZRjNRO2DgpaTrzP C47z3DXlF0FSEtIGcAT6AiGHW1QU7SiHehc7Xlth1Af8j9pgtemjWYXDi84c6nyF OBQwDknPhvFBawGrHu08JglnaQ0jen36pqvHPdE0t3dvqhd0LqkgcXX2kHWZ6FsN 6Ca1UD1gqaQUKXyuuusaMTwBmeNfJE/yri+2LbfN8o9SnOLC6InYN7tr9tYb++/6 6bf8eMKYK9v8OLQUKaXoRKbJ84WQuaIgeXQgDwCdoxNiyD6QZeUWXOoDaoREn2Cq 8C+7NxecUrH3LCSNNaTVODU+ato82ovHDGfBGBYtSKF01MY3jN9a4b9tsT5JO/Zf xN4El7KOO2JGlkInFIbn9rRatq/x/cD8LwOLb3gUlPqtd3GfZ/n1oaVxqmCjozQ0 /kBj+VXIENn8w33pFloaYWDHvx/DwSQg8OQ+TREPyr0y2q7zRxTwuZJu6JjEkUpM iJXsTKdTgnGJJgpS2NJt2DoZMHcODZcgkiyvrhgRQK1VixpeL3c9xIakZ5nIjXpx ZI+kr9IyUBE= =02uF -----END PGP SIGNATURE-----