Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Researchers Wait 12 Months To Report Vulnerability With 9.8 Out of 10 Severity Rating (arstechnica.com) 36

About 10,000 enterprise servers running Palo Alto Networks' GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10. From a report: Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret. CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.

"Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more," researchers from Randori wrote on Wednesday. "Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally." Over the past few years, hackers have actively exploited vulnerabilities in a raft of enterprise firewalls and VPNs from the likes of Citrix, Microsoft, and Fortinet, government agencies warned earlier this year. Similar enterprise products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, Palo Alto Networks' GlobalProtect may be poised to join the list.

This discussion has been archived. No new comments can be posted.

Researchers Wait 12 Months To Report Vulnerability With 9.8 Out of 10 Severity Rating

Comments Filter:
  • Just trying to understand the rating system. Is a 10/10 like if anyone goes to a certain specific website and clicks a button then some server automatically turns into Skynet?
  • by phantomfive ( 622387 ) on Friday November 12, 2021 @03:56PM (#61982477) Journal

    "The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret"

    Maybe Palo Alto networks should learn how to write secure code instead of relying on other people to find their bugs. A VPN is something you should spend extra effort to make secure.

  • I am not sure what is worse. A researcher actively using an exploit over 1 year with out disclosing it to the vendor or when a vendor sits on an exploit and does not issue a patch when informed.

    • by phantomfive ( 622387 ) on Friday November 12, 2021 @04:11PM (#61982513) Journal

      That one is easy.

      The vendor sitting on the issue and not patching is far worse. If that happens, you should know that their software has many more vulnerabilities. If you don't treat their software as de facto insecure after that, you are negligent.

      The researcher has no responsibility to do free work for the vendor.

      • by gweihir ( 88907 )

        That one is easy.

        The vendor sitting on the issue and not patching is far worse. If that happens, you should know that their software has many more vulnerabilities. If you don't treat their software as de facto insecure after that, you are negligent.

        The researcher has no responsibility to do free work for the vendor.

        Indeed. That nicely sums it up. The only way a researcher could be obliged to disclose vulnerabilities they found is if the vendor that screwed up (and yes, all these vulnerabilities are screw-ups, not "accidents") then has to pay them for their effort at current security consulting rates. Say $200/h and realistic accounting of the hours the researcher spent on it and no obligation on the side of the researcher to be efficient.

    • by sheph ( 955019 )
      The government does it all the time. They have teams that find vulnerabilities and they sit on them to give us an advantage in case of cyber war. Of course in the mean time everyone is vulnerable, but that's of no consequence to them.
    • I don't see anywhere that they used it, did I miss something?

      • Yes, you missed the words in the summary:

        and for most of the time since has been privately using it in its red team products

        They were using it to pretend that they discovered vulnerabilities in their clients systems, when in reality the systems were vulnerable because this company didn't report the bug. And there wasn't any patch, solely do to the people taking credit for finding the problem. Who were probably then selling new equipment for something that could have easily been fixed with a software update if they had reported it. It's sleazy in a bunch of different ways, and they

  • They just wanted to see how it would affect society as a whole.

  • I work in a regulated space, where I'm supposed to provide a FIPS certified VPN. Palo Alto has products that fit the requirement. There is no way in hell I would ever put that crap on my network.

  • by phantomfive ( 622387 ) on Friday November 12, 2021 @04:16PM (#61982541) Journal

    Palo Alto Networks is an enterprise security company. Enterprise security companies do not make money by making things secure (because the people paying can't tell if they are secure or not). They earn money by making customers happy. In enterprise, that means your top priority is to have a good sales team.

    It is obvious here that Palo Alto Networks doesn't care about security, because if they did, they would have audited their own code for security defects. There is no place that secure code is more important. Your VPN should have security defects no more frequently than SSH. Which means none this decade.

    • How does a good sales team make companies happy?

      Usually the best sales people (when judged by sales volume) are kind of assholes who only even return your calls if your checkbook is in your hand.

      I don't think any IT company gives a shit about the technology they sell, they just want to lifecycle to keep cycling. A solid and effective product which effectively solves an IT problem is a great way to kill your business, actually. People aren't interested in replacing them because they *work* and solve the pr

    • by gweihir ( 88907 )

      It is obvious here that Palo Alto Networks doesn't care about security, because if they did, they would have audited their own code for security defects. There is no place that secure code is more important. Your VPN should have security defects no more frequently than SSH. Which means none this decade.

      Quite so. It is both well understood how to write secure code on this level and how to make architecture and design of a VPN secure. It is also well-known hos to do a real security audit on such a product and there are companies that offer this as a service. Of course it is not cheap. And, of course, you need qualified (expensive) people to get the implementation right.

      Palo Alto Networks screwed up because they tried to do it on the cheap and they are fully responsible for the results because there is no wa

  • by clovis ( 4684 ) on Friday November 12, 2021 @04:22PM (#61982565)

    It only affects older versions, so the main fault is admins who don't update critical software

    "CVE 2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located."

    How it this misuse of Palo Alto's product not a violation of every Federal computer security act?
    I know the customers paying for or testing are allowing the attacks. Were those customers advised to immediately update their VPN version? If so, we're they told why? Otherwise, That looks to me like a contract violation

    • by DRJlaw ( 946416 )

      It only affects older versions, so the main fault is admins who don't update critical software

      "CVE 2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located."

      The current version is 8.1.21, and a bit of Google-fu suggests that 8.1.17 was released on October 13, 2021.

      Just how quickly and how frequently are admins supposed to be updating remote access software in your eyes? Do you do pre-deployment testing in your organization?

      • by clovis ( 4684 )

        It only affects older versions, so the main fault is admins who don't update critical software

        "CVE 2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located."

        The current version is 8.1.21, and a bit of Google-fu suggests that 8.1.17 was released on October 13, 2021.

        Just how quickly and how frequently are admins supposed to be updating remote access software in your eyes? Do you do pre-deployment testing in your organization?

        Totally my bad.
        I read this:

        CVE-2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located. While those versions are more than a year old, Randori said that data provided by Shodan showed that an estimated 10,000 Internet-connected servers are running them (an estimate from an earlier version of the post put the number at 70,000)

        and thought that it was saying 8.1.17 had been released over a year ago and the ones older than that had the vulnerability.

    • How it this misuse of Palo Alto's product not a violation of every Federal computer security act?

      Using Palo Alto's product should be a violation of every Federal computer security act. It is not secure. Upgrading will not make it secure.

  • It takes a lot of work to parse that first paragraph.
  • A security firm found a vulnerability and instead of disclosing it, spent TWELVE MONTHS using it to fleece customers?

    I hope every single one of their clients that was persuaded to make any kind of purchase, change, or do anything that cost any amount of money or manpower due to this undisclosed vulnerability being used as leverage sues this "security" firm for every last penny the were convinced to spend and then some.

    They should be driven out of business and everyone involved in the decision to not d
  • is that buffer overflow vulnerabilities are still a thing in late 2021.

    Bad programming languages. Bad. Bad. No biscuit.
  • How does this conversation playout in the CISO's mind? Randori: We found a vulnerability. CISO: How do we patch it? Randori: You can't. We haven't disclosed the vulnerability to the vendor. We're just using it to hack people's network to show you we can do it. CISO: Thinking...they're not following ethical industry accepted disclosure guidelines. So, do I trust them to behave ethically once they've compromised my network? Conclusion: Terminate/not renew engagement, resulting in Randori having had th

Whoever dies with the most toys wins.

Working...