If you haven't potentially exposed 1000s of customers once again with networking vulns, step forward... Not so fast, Palo Alto Networks
Getting to be a real PAN in the OS
Palo Alto Networks has emitted its second software update in as many weeks to address a potentially serious security vulnerability in its products.
The vendor on Wednesday issued an advisory for CVE-2020-2034, a remote code execution flaw in its PAN-OS GlobalProtect portal, which can be exploited by a remote unauthenticated miscreant to execute arbitrary commands on the gateway as a superuser:
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges.
An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled.
This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.
Prisma Access services are not impacted by this vulnerability.
No in-the-wild attacks have been reported... yet. Palo Alto confirmed to The Register that GlobalProtect is not enabled by default, though anecdotal evidence suggests it's widely used. Short of applying the PAN-OS updates, there is no way to mitigate the vulnerability, other than turning off GlobalProtect.
This latest Palo Alto advisory comes just ten days after the IT supplier sounded the alarm for another remote code execution flaw in its PAN-OS. That vulnerability, CVE-2020-2021, was serious enough to warrant an alert from Uncle Sam's CyberCom, which feared that in-the-wild exploitation attempts were likely.
US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch nowREAD MORE
However, before admins go and schedule downtime to patch this latest bug, keep in mind that anyone who updated their PAN-OS gear to protect against CVE-2020-2021 already has the fix in place for this CVE-2020-2034 bug. Both were addressed with the earlier update.
Still, there are likely to be thousands of internet-facing PAN-OS devices that are potentially still vulnerable to exploit. Nate Warfield, of medical system security group CTI League, reckoned there are over 60,000 internet-facing devices that could potentially be vulnerable, though he tol El Reg many of those may well already be patched, particularly because of last week's bug disclosure.
Admins who have at-risk internet-facing PAN-OS gear should schedule downtime and get the fix for both vulnerabilities installed ASAP.
Meanwhile, F5 adjusts warnings
As if administrators haven't had enough to fret over these last few weeks, now comes word that F5 is walking back some of the mitigtions for its recently disclosed critical vulnerability.
According to an updated bulletin, the only way to avoid in-the-wild exploitation of that hole is to update the BIG-IP firmware.
Previously, F5 had suggested some mitigating steps administrators could take to temporarily protect their networks from exploits targeting CVE-2020-5902 and CVE-2020-5903, remote code execution flaws in F5's BIG-IP Traffic Management User Interface, until the timing was right to patch and reboot any affected equipment.
The change in advice will be particularly annoying for admins, who will now have to schedule downtime to fix their gear. Given that the bug is trivial to exploit, is now included in the Metasploit framework, and is being probed or exploited in the wild, that downtime should occur ASAP. ®