Last week, Palo Alto Networks released security updates for its PAN-OS security platform that address critical and high severity vulnerabilities that can be exploited by a remote and unauthenticated for remote code execution and command injection.
The critical issue, tracked as CVE-2017-15944, is a combination of flaws that affect the management interface.
PAN-OS 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier versions are affected by the issue that was addressed by security updates included in PAN-OS 6.1.19, 7.0.19, 7.1.14 and 8.0.6.
Palo Alto Network also released vulnerability signatures to block the attacks that exploit this issue.
The set of vulnerability was discovered in July by Philip Pettersson that published a security advisory on SecList. Pettersson has found three vulnerabilities (a partial authentication bypass, an arbitrary directory creation issue, and a command injection bug) that can be chained to allow an unauthenticated attacker to execute arbitrary code with root privileges through the vulnerable web interface.
“This is a public advisory for CVE-2017-15944 which is a remote root code execution bug in Palo Alto Networks firewalls. Three separate bugs can be used together to remotely execute commands as root through the web management interface without authentication on: PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.5 and earlier.” reads the advisory.
Palo Alto Networks notified customers the vulnerability informing them to avoid exposing the web interface of its devices to the Internet.
The security updated for PAN-OS also address a high severity flaw in the web interface packet capture management component tracked as CVE-2017-15940.
The flaw can be exploited by an authenticated attacker to inject arbitrary commands.
Affected products are PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.6 and earlier.
“This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS.” reads the advisory.
(Security Affairs –Palo Alto Networks Security Platform, hacking)