Last Updated: 2016-02-25 15:14:02 UTC
by Johannes Ullrich (Version: 1)
Yesterday, Palo Alto Networks released an update to PAN-OS, which addresses five different vulnerabilities . The security researcher who identified the vulnerabilities will publish details about these issues at a conference on March 16th. You MUST patch affected systems before that date.
Two of the vulnerabilities appear to be in particular dangerous, and affected devices should be patched immediately.
Unauthenticated Buffer Overflow in GlobalProtect/SSL VPN Web Interface (PAN-SA-2016-0005)
This issue affects PAN's SSL VPN, which implies that it will be difficult to limit traffic to the GlobalProtect portal to "trusted IPs". An SSL VPN like this is often used to allow users from untrusted networks to connect to internal resources.
Unauthenticated Command Injection in Management Web Interface (PAN-SA-2016-0003)
All too often, web-based APIs do not use the same rigor to provide authentication as we find it in web applications they support. This appears to be another case where a particular API function was left unguarded, and arbitrary commands may be executed. However, this vulnerability only affects the management web interface, which should not be "wide open" and access should be limited to carefully selected IP address ranges. Exploits like CSRF may on the other hand still be used to trick users at an authorized workstation to send an exploit to the device. We don't know enough about the vulnerability to understand if this is possible or not.