Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0085 Denial of Service in PAN-OS Management Interface 25 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Management Interface Operating System: Network Appliance Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-18065 Member content until: Wednesday, April 24 2019 Reference: ESB-2019.0781 ESB-2019.0780 ESB-2018.3289 OVERVIEW Palo-Alto has advised that PAN-OS is vulnerable to a Denial of Service in the Management Interface. [1] IMPACT Palo Alto has provided the following details regarding the issues: "Summary A Denial of Service vulnerability exists in the SNMP library that affects PAN-OS Management Interface. (Ref # PAN-106922, CVE-2018-18065). Severity: Medium Successful exploitation of this issue would allow a remote unauthenticated user to cause the SNMP daemon to crash, resulting in a denial of service. The unauthenticated user would already have to have access to the management interface to make this vulnerability work. Products Affected PAN-OS 7.1.22 and earlier, PAN-OS 8.0.15 and earlier, PAN-OS 8.1.6 and earlier. PAN-OS 9.0 is NOT affected" [1] MITIGATION The following updates and workarounds have been made available to resolve the issue: "PAN-OS 7.1.23 and later, PAN-OS 8.0.16 and later, and PAN-OS 8.1.7 and later. Workarounds and Mitigations This issue affects the management interface of PAN-OS and is strongly mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 9.0 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/ best-practices-for-securing-administrative-access.html." [1] REFERENCES [1] Denial of Service in PAN-OS Management Interface https://securityadvisories.paloaltonetworks.com/Home/Detail/144 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJhoTGaOgq3Tt24GAQhBpw/+IxkuaQ5d9HRKa7mF5ZFndsxfoty8cQ9y 6RHA4pj+evmLsqt8dt3wlVSVpA/JpyzfbHpw+Z9qFzD0jPq9wkbTUZKImOLlAJ1t 0Xjw6J0NUrc746kJ/o5qfU3hsz5/Zv4hzEeEtslhWnrFaRFIVtyucxaysL6D2ujf txyOmZH1as+1sndZy0+DtfSOzAcHr3VM+WWp5umnNMKB5C9LK71oojTYJRfLJcdI bCyKdjEnQ5qRyhYGB06B2aJEas/1UWhlpN4v1Un71RAXb/XwRyWjz+XgDqgCzvlJ 7GwL3ZaseDPdY7XcRxdC/tNQvSfe7COWASUhJAoEyTusJf/xNS7rMzGuKFjmund0 VzBCamjXMELWiPWPhVNJwYMjMNUg/lrw6+1Wfy73AYYUoIi9+LK2+4Hq2SGqsJcR dgMJi8mPvWVAaejBDYixx9DTKcDpjWX+t6kaug3AV7x+Vth59D/m961X6yFahtXE cm2gxnFS4Cg5Sj1V5pzlh3YzADapXaxvUYyo2OJ0jngib7xeHCpz7/P8Y1rF4qZd 0tTXE3KBRVkOxNLZC9X1wiTVwS1WDg1S/yZEqK0Wxk5cdYWagyzeXWHZK6o8hZ8G /lyrAU+1WYZV9FKxkpibjh+pVanJzSHEfiacAtPNNu1ckr5YkLi0svQxMjbjaju6 03771LxijPU= =rctQ -----END PGP SIGNATURE-----