Researchers Wait 12 Months To Report Vulnerability With 9.8 Out of 10 Severity Rating (arstechnica.com) 36
About 10,000 enterprise servers running Palo Alto Networks' GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10. From a report: Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret. CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.
"Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more," researchers from Randori wrote on Wednesday. "Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally." Over the past few years, hackers have actively exploited vulnerabilities in a raft of enterprise firewalls and VPNs from the likes of Citrix, Microsoft, and Fortinet, government agencies warned earlier this year. Similar enterprise products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, Palo Alto Networks' GlobalProtect may be poised to join the list.
"Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more," researchers from Randori wrote on Wednesday. "Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally." Over the past few years, hackers have actively exploited vulnerabilities in a raft of enterprise firewalls and VPNs from the likes of Citrix, Microsoft, and Fortinet, government agencies warned earlier this year. Similar enterprise products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, Palo Alto Networks' GlobalProtect may be poised to join the list.
So what's a 10/10? (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Who's fault? (Score:3)
"The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret"
Maybe Palo Alto networks should learn how to write secure code instead of relying on other people to find their bugs. A VPN is something you should spend extra effort to make secure.
Re: (Score:2)
It really doesn't matter if it's a VPN or a mailserver or whatnot.
Anything public facing needs to be hardened, for sure. Including a mail server. That it can be done is proven by qmail.
But a mail server can be logically separated from other services, so only it gets hacked. If your VPN gets hacked, then everything it is hiding gets hacked, too.
Re: (Score:2)
You might want to moderate your praise of qmail's security:
https://lwn.net/Articles/82096... [lwn.net]
Re: (Score:1)
Assuming your link is correct, qmail was released in 1997 and only one vulnerability has been found since then (and only in certain configurations). I think your post supports my point.
Re: (Score:3)
Now you are in blind fandom. Yes, the number of vulnerabilities is low, but it's more than one.
https://www.cvedetails.com/vul... [cvedetails.com]
https://vulmon.com/searchpage?... [vulmon.com]
Re: (Score:1)
Yes, the number of vulnerabilities is low,
So you agree with me. QED.
Re: (Score:2)
You were wrong, and they pointed it out. Nobody agreed with your incorrect statement. Stop patting yourself on the back. Shave your neckbeard. Visit the surface.
Re: (Score:2)
I said "qmail proves that a public facing server can be hardened." He said, "The number of vulnerabilities are low." I don't think we disagree here.
Of course, if we want to look more deeply, we can even make a stronger claim. All of the vulnerabilities listed in the link he gave are not vulnerabilities when qmail is run in the recommended configuration. So you could accurately say it has no remote exploits.
Wow this is sad. (Score:2)
I am not sure what is worse. A researcher actively using an exploit over 1 year with out disclosing it to the vendor or when a vendor sits on an exploit and does not issue a patch when informed.
Re:Wow this is sad. (Score:5, Insightful)
That one is easy.
The vendor sitting on the issue and not patching is far worse. If that happens, you should know that their software has many more vulnerabilities. If you don't treat their software as de facto insecure after that, you are negligent.
The researcher has no responsibility to do free work for the vendor.
Re: (Score:2)
That one is easy.
The vendor sitting on the issue and not patching is far worse. If that happens, you should know that their software has many more vulnerabilities. If you don't treat their software as de facto insecure after that, you are negligent.
The researcher has no responsibility to do free work for the vendor.
Indeed. That nicely sums it up. The only way a researcher could be obliged to disclose vulnerabilities they found is if the vendor that screwed up (and yes, all these vulnerabilities are screw-ups, not "accidents") then has to pay them for their effort at current security consulting rates. Say $200/h and realistic accounting of the hours the researcher spent on it and no obligation on the side of the researcher to be efficient.
Re: (Score:3)
Re: (Score:2)
I don't see anywhere that they used it, did I miss something?
Re: (Score:3)
Yes, you missed the words in the summary:
and for most of the time since has been privately using it in its red team products
They were using it to pretend that they discovered vulnerabilities in their clients systems, when in reality the systems were vulnerable because this company didn't report the bug. And there wasn't any patch, solely do to the people taking credit for finding the problem. Who were probably then selling new equipment for something that could have easily been fixed with a software update if they had reported it. It's sleazy in a bunch of different ways, and they
Re: (Score:2)
Ok, this is not cool.
It was gain-of-function research (Score:2)
They just wanted to see how it would affect society as a whole.
Palo Alto no way (Score:2)
I work in a regulated space, where I'm supposed to provide a FIPS certified VPN. Palo Alto has products that fit the requirement. There is no way in hell I would ever put that crap on my network.
Re: (Score:2)
FIPS just means it has NSA designed exploits on top of all the other exploits.
Enterprise Security (Score:4, Insightful)
Palo Alto Networks is an enterprise security company. Enterprise security companies do not make money by making things secure (because the people paying can't tell if they are secure or not). They earn money by making customers happy. In enterprise, that means your top priority is to have a good sales team.
It is obvious here that Palo Alto Networks doesn't care about security, because if they did, they would have audited their own code for security defects. There is no place that secure code is more important. Your VPN should have security defects no more frequently than SSH. Which means none this decade.
Re: (Score:2)
How does a good sales team make companies happy?
Usually the best sales people (when judged by sales volume) are kind of assholes who only even return your calls if your checkbook is in your hand.
I don't think any IT company gives a shit about the technology they sell, they just want to lifecycle to keep cycling. A solid and effective product which effectively solves an IT problem is a great way to kill your business, actually. People aren't interested in replacing them because they *work* and solve the pr
Re: (Score:2)
It is obvious here that Palo Alto Networks doesn't care about security, because if they did, they would have audited their own code for security defects. There is no place that secure code is more important. Your VPN should have security defects no more frequently than SSH. Which means none this decade.
Quite so. It is both well understood how to write secure code on this level and how to make architecture and design of a VPN secure. It is also well-known hos to do a real security audit on such a product and there are companies that offer this as a service. Of course it is not cheap. And, of course, you need qualified (expensive) people to get the implementation right.
Palo Alto Networks screwed up because they tried to do it on the cheap and they are fully responsible for the results because there is no wa
Only affects older versions (Score:3)
It only affects older versions, so the main fault is admins who don't update critical software
"CVE 2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located."
How it this misuse of Palo Alto's product not a violation of every Federal computer security act?
I know the customers paying for or testing are allowing the attacks. Were those customers advised to immediately update their VPN version? If so, we're they told why? Otherwise, That looks to me like a contract violation
Re: (Score:3)
The current version is 8.1.21, and a bit of Google-fu suggests that 8.1.17 was released on October 13, 2021.
Just how quickly and how frequently are admins supposed to be updating remote access software in your eyes? Do you do pre-deployment testing in your organization?
Re: (Score:2)
The current version is 8.1.21, and a bit of Google-fu suggests that 8.1.17 was released on October 13, 2021.
Just how quickly and how frequently are admins supposed to be updating remote access software in your eyes? Do you do pre-deployment testing in your organization?
Totally my bad.
I read this:
CVE-2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located. While those versions are more than a year old, Randori said that data provided by Shodan showed that an estimated 10,000 Internet-connected servers are running them (an estimate from an earlier version of the post put the number at 70,000)
and thought that it was saying 8.1.17 had been released over a year ago and the ones older than that had the vulnerability.
Re: (Score:3)
How it this misuse of Palo Alto's product not a violation of every Federal computer security act?
Using Palo Alto's product should be a violation of every Federal computer security act. It is not secure. Upgrading will not make it secure.
vulnerable or not (Score:1)
Unethical in the extreme (Score:1)
I hope every single one of their clients that was persuaded to make any kind of purchase, change, or do anything that cost any amount of money or manpower due to this undisclosed vulnerability being used as leverage sues this "security" firm for every last penny the were convinced to spend and then some.
They should be driven out of business and everyone involved in the decision to not d
The real scandal here... (Score:2)
Bad programming languages. Bad. Bad. No biscuit.
How to NOT monetize security (Score:1)
How does this conversation playout in the CISO's mind? Randori: We found a vulnerability. CISO: How do we patch it? Randori: You can't. We haven't disclosed the vulnerability to the vendor. We're just using it to hack people's network to show you we can do it. CISO: Thinking...they're not following ethical industry accepted disclosure guidelines. So, do I trust them to behave ethically once they've compromised my network? Conclusion: Terminate/not renew engagement, resulting in Randori having had th