Reference: CERT-EU Security Advisory 2016-117 Title: Palo Alto critical bugs Version history: 25/02/2016 Initial publication. Summary: ======== Palo Alto Networks has revealed four new vulnerabilities [1]: PAN-SA-2016-0005 - critical [1]: “When a PAN-OS device is configured as a GlobalProtect portal, a vulnerability exists where an improper handling of a buffer involved in the processing of SSL VPN requests can result in device crash and possible remote code execution.” PAN-SA-2016-0004 - medium [1]: “When a PAN-OS device is configured as a GlobalProtect web portal, a specially crafted request to the portal could result in a crash of the service.” PAN-SA-2016-0003 - High [1]: “Palo Alto Networks PAN-OS implements an API to enable programmatic device configuration and administration of the device. An issue was identified where the management API incorrectly parses input to a specific API call, leading to execution of arbitrary OS commands without authentication via the management interface.” PAN-SA-2016-0002 - Low [1]: “Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges.” Products Affected: ================== PAN-OS releases 5.0.17, 5.1.10, 6.0.12, 6.1.9, 7.0.5 and prior. Recommendations: =============== Customers using PAN-OS and Panorama software are advised to upgrade to the latest releases as soon as possible and no later than March 16th 2016, since this is the date when details of the vulnerabilities will be publicly disclosed at a security conference in Germany [2]. Available Updates: PAN-OS releases 5.0.18, 6.0.13, 6.1.10 and 7.0.5 and newer. References: ========== [1] https://securityadvisories.paloaltonetworks.com/ [2] http://www.theregister.co.uk/2016/02/25/palo_alto_reveals_critical_bugs_ and_march_16th_patch_deadline/ Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html