tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesA Vulnerability in Palo Alto Firewalls PAN-OS Could Allow for Arbitrary Code Execution

A Vulnerability in Palo Alto Firewalls PAN-OS Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-067

DATE(S) ISSUED:

07/21/2017

OVERVIEW:

A vulnerability has been discovered in Palo Alto Firewall PAN-OS, which could allow for arbitrary code execution. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue using specifically crafted fully qualified domain names (FQDN). Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

Proof-of-Concept code for this vulnerability is available. However, there are no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • • PAN-OS 6.1.17 and prior
  • • PAN-OS 7.0.15 and prior
  • • PAN-OS 7.1.9 and prior
  • • PAN-OS 8.0.2 and prior

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in Palo Alto Firewall PAN-OS, which could allow for arbitrary code execution. This vulnerability exists when the DNS Proxy feature resolves a specially crafted Fully Qualified Domain Names (FQDN). Specifically, the issue occurs in Data and Management planes of the firewall. An attacker could exploit this issue to execute arbitrary code in the context of the application. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Palo Alto Networks to vulnerable systems, after appropriate testing.
  • Recommend disabling DNS Proxy, if possible, for those customers who are affected and are unable to apply the update
  • Verify no unauthorized system modifications have occurred on vulnerable systems before patching.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configurations for Network Devices

Information Hub: Advisories



Pencil Benchmark 17 Aug 2017

Pencil Blog post 14 Aug 2017

Pencil Blog post 11 Aug 2017