In this brief post I will relay my finding of a security vulnerability with the Palo Alto update servers. This post refers to the security advisory PAN-SA-2016-0010.
It started with me watching some Palo Alto training videos. I administrate Palo Alto’s at work so thought it would be good to top-up my knowledge on the product and look in to taking the PCNSE. I managed to obtain a copy of a Palo Alto VM by following a link in the training video.
After setting up and configuring the appliance, I tried to update the PAN-OS release and threat/application signatures as they were all a bit old but obviously knew that wouldn’t have worked as you need a license to do pretty much anything with the appliance (technically it would still work as a basic firewall but I wouldn’t have been able to use/test/learn any of the useful features like Global Protect, Wildfire, URL filtering, app-ID, etc).
In the process of trying to get my virtual appliance updated, I discovered a number of available functions.
The Fix
- Most of the APIs that were exposed to the internet had no reason to be, therefore sensitive/unused/internal-only APIs have been moved to an internal, non-internet facing server by Palo Alto Networks.
Palo Alto Networks Response and Timeline
- I first reported this issue via the appropriate security disclosure channels ([email protected]) on the 6th March 2016.
- I received an acknowledgement e-mail from the Product Security Incident Response Team on the 12th March 2016. The e-mail detailed the process of a security disclosure.
- Received a quick update on the 3rd June 2016.
- Received another update on the 7th June 2016 explaining what PAN are doing to address the issues reported.
- Received another update on the 21st June 2016. – this time with a draft security advisory as well as a more in-depth explanation of what PAN are/will be doing to address the issues reported.
Closing notes
We live in a time where security researchers are targeted, sued and jailed for reporting and investigating security vulnerabilities; therefore kudos to the incident response team at Palo Alto (specifically Eric Moret who kept in contact the whole time) who were open and transparent from the beginning.