Malware Devil

Loading...

Friday, August 14, 2020

ESB-2020.2805 – [Appliance] PAN-OS: Unauthorised access – Existing account 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2805
        CVE-2020-2035 PAN-OS: URL filtering policy is not enforced
              on TLS handshakes for decrypted HTTPS sessions
                              14 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PAN-OS
Publisher:         Palo Alto
Operating System:  Network Appliance
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-2035  

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2020-2035

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2020-2035

CVE-2020-2035 PAN-OS: URL filtering policy is not enforced on TLS handshakes
for decrypted HTTPS sessions

047910
Severity 3 . LOW
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required HIGH
User Interaction NONE
Scope CHANGED
Confidentiality Impact NONE
Integrity Impact LOW
Availability Impact NONE
NVD JSON     
Published 2020-08-12
Updated 2020-08-12
Reference PAN-140086
Discovered externally

Description

When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the
web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and
URL path headers for policy enforcement on the decrypted HTTPS web transactions
but does not consider Server Name Indication (SNI) field within the TLS Client
Hello handshake.

This allows a compromised host in a protected network to evade any security
policy that uses URL filtering on a firewall configured with SSL Decryption in
the Forward Proxy mode. A malicious actor can then use this technique to evade
detection of communication on the TLS handshake phase between a compromised
host and a remote malicious server.

This technique does not increase the risk of a host being compromised in the
network. It does not impact the confidentiality or availability of a firewall.
This is considered to have a low impact on the integrity of the firewall
because the firewall fails to enforce a policy on certain traffic that should
have been blocked.

This issue does not impact the URL filtering policy enforcement on clear text
or encrypted web transactions.

This technique can be used only after a malicious actor has compromised a host
in the protected network and the TLS/SSL Decryption feature is enabled for the
traffic that the attacker controls.

Palo Alto Networks is not aware of any malware that uses this technique to
exfiltrate data.

This issue is applicable to all current versions of PAN-OS.

Product Status

PAN-OS

Versions Affected Unaffected
10.0     10.0.*
9.1      9.1.*
9.0      9.0.*
8.1      8.1.*

Required Configuration for Exposure

This URL filtering policy evasion situation is only applicable when the
following conditions are true:

1. A host in the network is already compromised by a malicious actor.

2. The PAN-OS configuration must have the SSL/TLS Decryption Forward Proxy
feature enabled for the specific traffic that the attacker controls.

3. There is no other security device in the chain that performs URL Filtering
or can block access to malicious URLs or IP-addresses on the encrypted SSL/TLS
traffic.

Severity: LOW

CVSSv3.1 Base Score: 3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N)

Weakness Type

CWE-20 Improper Input Validation

Solution

Palo Alto Networks is currently working to improve our inspection engines by
adding a URL filtering policy check on both the TLS SNI field and the HTTP Host
and URL headers for decrypted HTTPS transactions.

Apply any of the workarounds to completely mitigate the risk of evasion.

There are currently no PAN-OS updates available for this issue.

Workarounds and Mitigations

Customers concerned about the risk described in this advisory are encouraged to
review the KB article https://knowledgebase.paloaltonetworks.com/
KCSArticleDetail?id=kA14u0000008V4J for more information on background and
mitigation options. To enforce URL filtering policy on TLS handshakes for
decrypted HTTPS sessions, we suggest you use any one of the following
workarounds:

1. Route outbound traffic between two virtual systems (vsys) on PAN-OS
firewalls that have vsys capability and perform URL Filtering on one vsys and
perform SSL/TLS Decryption on the other vsys.

2. Add two additional Security Zones and route outbound traffic between the two
zones so that you can apply both "Decrypt" and "No Decrypt" Decryption policy
rules. For example, configure your next-generation firewall so that traffic
travels from the Inside zone to the Internal-DMZ zone where you applied a "No
Decrypt" rule along with URL Filtering and then the traffic passes to the
External-DMZ zone and from External-DMZ to the Internet zone where you applied
a "Decrypt" rule. Be aware that this workaround configuration may significantly
increase the load on your firewall.

3. Use the additional security device in the traffic chain.

The SSL/TLS Decryption and URL Filtering functions should be separated (for
example, the first device is performing URL Filtering and the second device is
performing SSL/TLS Decryption).

These workarounds are described in detail at https://
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V4J

We recommend you use an endpoint protection solution such as the Cortex XDR
agent to significantly reduce the potential risk of hosts being compromised.
See https://www.paloaltonetworks.com/cortex/endpoint-protection.

Caution: We recommend that you do not disable SSL/TLS Decryption as a
workaround to this issue. There are additional risks associated with this
action.

Acknowledgments

Palo Alto Networks thanks Morten Marstrander and Matteo Malvica from mnemonic
AS for discovering and reporting this issue.

Timeline

2020-08-12 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXzXsyuNLKJtyKPYoAQhHhg//ZzJLe/II9OA+d32/wNM84vALuDfhLRwZ
83NAPYbSTgquwpJopybQUsssfZes0uRA4BZe++7lIylZHcvTX9ot0HUE6LLa7cb4
WEaA9yUNW/o+6Pr/u/Wp8xnygCYYaxmp3fy6msYwJLclD+4RHPQHFe3umi/xYiTM
rlyFihx6Ns/oTpBO19IPijDxEmIjFH3yXE9gZhG+kIcljCgYd+w6fKekR2EGs24r
LwE92G89V0rF6Ys0LJZwkoGx050JBRMcDd3Uh3o6OjxF1PGTjciPewZfV44QGc8Z
deb5hucE1zgUD67jL18D2xISbYK04rsORU6jgtnxckYfxZH1io6hJMwMyS43WHTW
HaHTCmSl6i2wJEjL7iFFdwmeTusb1MGnq+vbcfirULW+hyCnt0acL0JAwYdaPL96
UHxbrZlB9DA/otLjwXYIw/Lc6dpB4560cw8u7fmsbTvzgxt6WYt97hFb2+1kLnhf
PqZaZuN62qhRPkBg1BMy3OcFB3ekyPTeuTfyH7XerZ7IYY3G2ho5olCENI4Aq1jt
oLqbt3eElg+5leXW2eX9oCoeSkCL2ipLy8gWwfZHet4BqEk7b8Y0n23GMzXVHOYA
DvVGqL725gGqB3wj80TaU0rZ8bPqdNuMcL4iiUian7JAY6HJMQO/4km4S/RvdvF3
kFhka4LoyYI=
=4/Tt
-----END PGP SIGNATURE-----

Read More



https://www.malwaredevil.com/2020/08/14/esb-2020-2805-appliance-pan-os-unauthorised-access-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2805-appliance-pan-os-unauthorised-access-existing-account
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...