-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0085
             Denial of Service in PAN-OS Management Interface
                               25 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              PAN-OS Management Interface
Operating System:     Network Appliance
Impact/Access:        Denial of Service -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-18065  
Member content until: Wednesday, April 24 2019
Reference:            ESB-2019.0781
                      ESB-2019.0780
                      ESB-2018.3289

OVERVIEW

        Palo-Alto has advised that PAN-OS is vulnerable to a Denial of Service 
        in the Management Interface. [1]


IMPACT

        Palo Alto has provided the following details regarding the issues:
        
        "Summary
        
        A Denial of Service vulnerability exists in the SNMP library that affects
        PAN-OS Management Interface. (Ref # PAN-106922, CVE-2018-18065).
        
        Severity: Medium
        
        Successful exploitation of this issue would allow a remote unauthenticated user
        to cause the SNMP daemon to crash, resulting in a denial of service. The
        unauthenticated user would already have to have access to the management
        interface to make this vulnerability work.
        
        Products Affected
        
        PAN-OS 7.1.22 and earlier, PAN-OS 8.0.15 and earlier, PAN-OS 8.1.6 and earlier.
        PAN-OS 9.0 is NOT affected" [1]


MITIGATION

        The following updates and workarounds have been made available to 
        resolve the issue:
        
        "PAN-OS 7.1.23 and later, PAN-OS 8.0.16 and later, and PAN-OS 8.1.7 
        and later.
        
        Workarounds and Mitigations
        
        This issue affects the management interface of PAN-OS and is strongly mitigated
        by following best practices for securing the PAN-OS management interface. Our
        best practices guidelines reduce the exposure of the management interface to
        potential attackers. Please review the Best Practices for Securing
        Administrative Access in the PAN-OS 9.0 technical documentation, available at:
        https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/
        best-practices-for-securing-administrative-access.html." [1]


REFERENCES

        [1] Denial of Service in PAN-OS Management Interface
            https://securityadvisories.paloaltonetworks.com/Home/Detail/144

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXJhoTGaOgq3Tt24GAQhBpw/+IxkuaQ5d9HRKa7mF5ZFndsxfoty8cQ9y
6RHA4pj+evmLsqt8dt3wlVSVpA/JpyzfbHpw+Z9qFzD0jPq9wkbTUZKImOLlAJ1t
0Xjw6J0NUrc746kJ/o5qfU3hsz5/Zv4hzEeEtslhWnrFaRFIVtyucxaysL6D2ujf
txyOmZH1as+1sndZy0+DtfSOzAcHr3VM+WWp5umnNMKB5C9LK71oojTYJRfLJcdI
bCyKdjEnQ5qRyhYGB06B2aJEas/1UWhlpN4v1Un71RAXb/XwRyWjz+XgDqgCzvlJ
7GwL3ZaseDPdY7XcRxdC/tNQvSfe7COWASUhJAoEyTusJf/xNS7rMzGuKFjmund0
VzBCamjXMELWiPWPhVNJwYMjMNUg/lrw6+1Wfy73AYYUoIi9+LK2+4Hq2SGqsJcR
dgMJi8mPvWVAaejBDYixx9DTKcDpjWX+t6kaug3AV7x+Vth59D/m961X6yFahtXE
cm2gxnFS4Cg5Sj1V5pzlh3YzADapXaxvUYyo2OJ0jngib7xeHCpz7/P8Y1rF4qZd
0tTXE3KBRVkOxNLZC9X1wiTVwS1WDg1S/yZEqK0Wxk5cdYWagyzeXWHZK6o8hZ8G
/lyrAU+1WYZV9FKxkpibjh+pVanJzSHEfiacAtPNNu1ckr5YkLi0svQxMjbjaju6
03771LxijPU=
=rctQ
-----END PGP SIGNATURE-----