Palo Alto reveals critical bugs and March 16th patch deadline

Researcher who found the flaws will reveal crim-friendly details in three weeks

Palo Alto Networks has revealed four new nasties, one of which can allow remote code execution and DDOS attacks on its boxen, and given users until March 16th to patch them.

The company's security advisory page lists the four bugs but doesn't mention the deadline.

That date has, however, been shared in an email to customers that reads in part “All customers are advised to upgrade PAN-OS and Panorama to the latest maintenance releases before March 16th, 2016, when details of the vulnerabilities will be publicly disclosed at a security conference in Germany by the security researcher that discovered and reported these issues to us.”

The difference in information quality offered by the company looks like a scoreline of Email 1, RSS 0. Make what you will of that in the comments field.

The bugs? PAN-SA-2016-0005 is the critical problem and means that “When a PAN-OS device is configured as a GlobalProtect portal, a vulnerability exists where an improper handling of a buffer involved in the processing of SSL VPN requests can result in device crash and possible remote code execution.”

This one's an oldie but a baddie as it hits PAN-OS versions 5.0.17, 6.0.12, 6.1.9, 7.0.4 and prior. So get patching.

The company's also revealed the high severity PAN-SA-2016-0003, in which a management “API incorrectly parses input to a specific API call, leading to execution of arbitrary OS commands without authentication via the management interface.”

The company's also revealed the merely-Medium-severity PAN-SA-2016-0004, a DDOS-by-crash problem, and the low-severity PAN-SA-2016-0002 regarding “incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level.” Only someone logged in as root will be able to make this one happen. ®

Keep Reading

Biting the hand that feeds IT © 1998–2021