A remote code-execution (RCE) vulnerability (CVE-2019-1579) has been uncovered in the GlobalProtect portal and GlobalProtect Gateway interface security products from Palo Alto Networks. It’s an unusual zero-day case, having been previously unknown but inadvertently fixed in later releases.
The vulnerability (CVE-2019-1579) is a format string vulnerability in the SSL Gateway, which handles client/server SSL handshakes. Its a critical bug because it allows an unauthenticated attacker to execute arbitrary code. Its recommended to update the Gateway OS ASAP.
First publicized by researchers Orange Tsai and Meh Chang last week, the bug was a previously unknown vulnerability, but later versions of Palo Alto’s products happen to be inoculated against it, meaning that up-to-date systems are not in danger.
The Affected versions are
- PAN-OS 7.1.18 and earlier
- PAN-OS 8.0.11 and earlier
- PAN-OS 8.1.2 and earlier
PAN-OS 9.0 is not affected.
The fixed versions are
- PAN-OS 7.1.19 and later
- PAN-OS 8.0.12 and later
- PAN-OS 8.1.3 and later
For those who can’t update yet, Palo Alto recommended that users update to content release 8173 or later, and that they make sure that threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface.
Recently Mathy Vanhoef of imec-DistriNet has discovered a vulnerability in WPA2 standard which enables a Man in the Middle to sniff and decrypt packets over the wireless network. The details about this vulnerability is provided on https://www.krackattacks.com/
WPA2 is used to secure the wireless communication between the clients and access point. It was considered as unbreakable untill this vulnerability is discovered. Here are the key things you should know about this vulnerability.
- This vulnerability cannot be exploited remotely. The attacker or his device must be close enough to connect to the targeted wireless network to run the attack. This limits the effect of this vulnerability significantly.
- There has been no reports of this vulnerability being exploited in the wild, yet.
- This only enables the attacker to decrypt the wireless frames and expose the payload. Is the communication is over HTTPS/TLS the attacker can still not decrypt the payload and all of your communication data is still safe.
- The vulnerability was discovered many months ago and was communicated to many vendors whose products are vulnerable. So the patches will be available soon.
- This vulnerability effects every client device that uses wireless as the vulnerability is in the WPA2 standard.
- There are no patches available to fix it at this moment so till the time the device vendor releases a patch the wireless communication is prone to this attack.
- This enables the attacker to get private information over wireless communication if the payload is sent over plain text/http protocol.
- Though the HTTPS communication is safe from this attack, it still exposes your DNS traffic which is in clear text.
- The attacker can modify the DNS traffic and can redirect you to a malicious website.
Things you should do to keep yourself safe from this attack.
- Keep an eye on any update released by your device vendor, patch the device as soon as an update is available.
- Do not send any private information like Username/Password, account login, Payment information, personal details over unencrypted connection. Always check of the website you are submitting the details is using HTTPS for encrypting all the communication related to private information.
- Ensuring this green lock button on the browser is even more important now as the attacker can modify DNS traffic and redirect you to a malicious website. If that is the case you will get a certificate error on the browser. Do not proceed if your web browser warns you about any problems with the website certificate.
- If possible always use VPN when connected over wireless, so that all the communication over wireless is protected by an extra layer of VPN encryption.
- For the paranoids, keep yourself from using wireless at all until this vulnerability is patched.