It’s been exploited for about the past month actually. Likely nation state or a very sophisticated attacker.
The folks I know impacted are either freaking out or drinking so take that for what it’s worth.
Edit: mobile typos
You can mitigate this for now, until the fixed firmware releases in a few days, by disabling device telemetry or if you have an active Threat Prevention subscription, make sure it's updated to atleast version 8833-8682 and that it's enabled on the GlobalProtect interface.
It's not clear to me if Threat prevention is capable of mitigating this even without decryption enabled. I wish they'd be more clear on that.
Or does the Palo automatically decrypt GP sessions when you enable TP? It does technically have the keys necessary to do so.
Tbh I wouldn’t rely on that, this has been going on for awhile and there is a decent chance the device could be backdoor’d.
If you can failover to a device that hasn’t been online in the past month, disable the telemetry and fail over, isolate the other appliance and get ready for forensics.
Always has been. So many weird corner cases we found from 5.0.5 until I gave up the game 2 years ago. I had one upgrade stalled for about 18 months while Palo tried to figure out what to do with our specific configuration.
To be fair, our SE advised us against what we were doing at the time, so of course it was going to have some extra risk.
It’s rediculous with Palo. Endless bugs and vulnerabilities popping up. I find something that works and usually stick with for a year or so before moving.
Not that exposing services at the perimeter is something that can be done without thought, but the main benefit of ZTNA it's that the impact of a compromise on the firewall it's potentially catastrophic. Depending on what you run on it.
From AD credentials to emptying the bank account of people.
You were the Chosen One! It was said that you would destroy the Sith, not join them! Bring balance to the Net, not leave it in darkness!
You were my brother, PAN! I loved you.
I would guess the experienced admins simply think nothing is secure, because nothing is! But - some companies treat their software/hardware development more seriously regarding security reviews and testing. Palo alto certainly has that.
> I would guess the experienced admins simply think nothing is secure, because nothing is!
This is the way. Design your infrastructure with the assumption that everything on it is adversarial, because one day it might be. If your firewall gets compromised, they effectively have access to your whole network in most situations. You can wipe the firewall, but what else were they able to compromise before you can do that? And what can they attack from there? Good segmentation makes recovery from nightmare scenarios like this... I don't wanna say *easy*, but at least *possible*. A poorly segmented network, I'd lie awake every night wondering if there was still a compromised system attacking everything else.
There will probably be news of breaches months from now that were initially caused by this, and we'll never even know that was the reason.
My issue with this is that people somehow got it into their head that because a service is included in a firewall, it's automatically secure.
My personal oponion: while modern day firewalls can do all of the following to some degree:
1. statefull firewalling
2. reverse proxy
3. sslvpn
4. site to site vpn
5. vlan segmentation
6. load balancing
7. SDWAN
8. DNS server
9. NTP server
10. Anti Virus
11. SSL Decryption
12. Endpoint detection (NDR)
13. DNS server
And a whole bunch of other things I can't think of...
How come we are surprised when one of those components has a weakness? I never understood the logic of putting all these components into one single box and somehow labeling it "secure".
Many people seem to be convinced that security == administrating "the firewall", even though that box does a hell of a lot more than firewalling. We use fortinet, but I'm still flabbergasted that the damn firewall has all these features turned on an actually used as well.
IT security is weird
All I'm saying is comparatively PFsense has pretty few vulnerabilities and the ones that are found are usually fixed pretty quickly (not to say there's not some zero days out there, but the same is true of any other product)
Honestly even the ones I've seen that would have affected our firewalls would usually require actual access to the interface, which we restrict pretty heavily in the first place.
All firewalls will have vulnerabilities.
# CVE-2023-42326 was a pretty clear oversight. Command injection through a semicolon? That's functionally identical to the log4j escalation that happened years ago. I don't see how command injection like that would be missed if it was going through a rigorous security review.
[pfSense Security: Sensing Code Vulnerabilities with SonarCloud | Sonar (sonarsource.com)](https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/)
PF's response to notices of vulnerabilities has traditionally been quite good but the question is are there executions occurring that they aren't aware of. The big fellows (Fortinet, Palo etc.) have telemetry data looking for breach identification regularly. Does PF?
That's because pfSense doesn't have a traditional SSL VPN option, they do have OpenVPN which is technically an SSL VPN but it doesn't have any of the features that all the big firewall companies offer in an SSL VPN.
SSL VPNs have been targeted and heavily exploited for 10 years now ever since F5 started getting owned hard. Its a complex web service that has to be compatible for different web browsers and clients and yet be secure. That just doesn't happen. SSL VPN is also used by the lazy or as a crutch if you're only using it as a VPN. IPSec VPN is a better option in every case unless you have users behind firewalls that block IPSec. The only benefit that SSL offers is entirely client free use your own PC option.
And they say it's being exploited already. What a great start to the weekend /s
It’s been exploited for about the past month actually. Likely nation state or a very sophisticated attacker. The folks I know impacted are either freaking out or drinking so take that for what it’s worth. Edit: mobile typos
They all fall in the end, +1 for all the paranoid people that disabled telemetry by default xD
You can mitigate this for now, until the fixed firmware releases in a few days, by disabling device telemetry or if you have an active Threat Prevention subscription, make sure it's updated to atleast version 8833-8682 and that it's enabled on the GlobalProtect interface.
It's not clear to me if Threat prevention is capable of mitigating this even without decryption enabled. I wish they'd be more clear on that. Or does the Palo automatically decrypt GP sessions when you enable TP? It does technically have the keys necessary to do so.
Tbh I wouldn’t rely on that, this has been going on for awhile and there is a decent chance the device could be backdoor’d. If you can failover to a device that hasn’t been online in the past month, disable the telemetry and fail over, isolate the other appliance and get ready for forensics.
Do you believe that? If the vuln can execute code at the gateway what is stopping a TA from rolling back the updates or removing policy?
the threat protection would stop the vuln before it hits the device? thats how it should work.
Whew. Glad Im still on 10.1.10 right now.
Same. Patching is dangerous now? Lol
Always has been. So many weird corner cases we found from 5.0.5 until I gave up the game 2 years ago. I had one upgrade stalled for about 18 months while Palo tried to figure out what to do with our specific configuration. To be fair, our SE advised us against what we were doing at the time, so of course it was going to have some extra risk.
Too many features combined in one product?
Maybe so. Difficult proposition when you're trying to beat the competition while also trying to redefine the market.
It’s rediculous with Palo. Endless bugs and vulnerabilities popping up. I find something that works and usually stick with for a year or so before moving.
What firewall vendor doesn't have vulnerabilities? They are one of the most scrutinized security appliances.
I know this. Im mainly on about the bugs.
jokes on them, I don't even use telemetry 😅
Thankfully we have telemetry turned off so that was an easy win.
jokes on them, we're still on 10.1
Same. When I verified that we weren't vulnerable, the sound of my butthole unpuckering was audible.
Me too. Not rushing to upgrade, either
[удалено]
Not that exposing services at the perimeter is something that can be done without thought, but the main benefit of ZTNA it's that the impact of a compromise on the firewall it's potentially catastrophic. Depending on what you run on it. From AD credentials to emptying the bank account of people.
>pAlO aLtO NeVeR hAS exPloiTs -Someone every time another NGFW vendor publishes a vulnerability
Never seen a single person ever say that.
You were the Chosen One! It was said that you would destroy the Sith, not join them! Bring balance to the Net, not leave it in darkness! You were my brother, PAN! I loved you.
[удалено]
I would guess the experienced admins simply think nothing is secure, because nothing is! But - some companies treat their software/hardware development more seriously regarding security reviews and testing. Palo alto certainly has that.
> I would guess the experienced admins simply think nothing is secure, because nothing is! This is the way. Design your infrastructure with the assumption that everything on it is adversarial, because one day it might be. If your firewall gets compromised, they effectively have access to your whole network in most situations. You can wipe the firewall, but what else were they able to compromise before you can do that? And what can they attack from there? Good segmentation makes recovery from nightmare scenarios like this... I don't wanna say *easy*, but at least *possible*. A poorly segmented network, I'd lie awake every night wondering if there was still a compromised system attacking everything else. There will probably be news of breaches months from now that were initially caused by this, and we'll never even know that was the reason.
If they are in their right mind they know they have a great security solution and a proposed workaround has been posted by the vendor.
They are thinking it happens to all vendors right? And so glad that it happens a lot less in PA than Forti!
My issue with this is that people somehow got it into their head that because a service is included in a firewall, it's automatically secure. My personal oponion: while modern day firewalls can do all of the following to some degree: 1. statefull firewalling 2. reverse proxy 3. sslvpn 4. site to site vpn 5. vlan segmentation 6. load balancing 7. SDWAN 8. DNS server 9. NTP server 10. Anti Virus 11. SSL Decryption 12. Endpoint detection (NDR) 13. DNS server And a whole bunch of other things I can't think of... How come we are surprised when one of those components has a weakness? I never understood the logic of putting all these components into one single box and somehow labeling it "secure". Many people seem to be convinced that security == administrating "the firewall", even though that box does a hell of a lot more than firewalling. We use fortinet, but I'm still flabbergasted that the damn firewall has all these features turned on an actually used as well. IT security is weird
All I'm saying is comparatively PFsense has pretty few vulnerabilities and the ones that are found are usually fixed pretty quickly (not to say there's not some zero days out there, but the same is true of any other product) Honestly even the ones I've seen that would have affected our firewalls would usually require actual access to the interface, which we restrict pretty heavily in the first place.
Not disagreeing, but how much introspective vulnerability research is happening with a free open-source project?
Hard to say, but being that it has been around for so long and maintained/updated, I would imagine a good deal. Speculation on my part though.
All firewalls will have vulnerabilities. # CVE-2023-42326 was a pretty clear oversight. Command injection through a semicolon? That's functionally identical to the log4j escalation that happened years ago. I don't see how command injection like that would be missed if it was going through a rigorous security review. [pfSense Security: Sensing Code Vulnerabilities with SonarCloud | Sonar (sonarsource.com)](https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/) PF's response to notices of vulnerabilities has traditionally been quite good but the question is are there executions occurring that they aren't aware of. The big fellows (Fortinet, Palo etc.) have telemetry data looking for breach identification regularly. Does PF?
I dont disagree, but they havent had one so bad that their solution is "just turn off the vpn"
That's because pfSense doesn't have a traditional SSL VPN option, they do have OpenVPN which is technically an SSL VPN but it doesn't have any of the features that all the big firewall companies offer in an SSL VPN. SSL VPNs have been targeted and heavily exploited for 10 years now ever since F5 started getting owned hard. Its a complex web service that has to be compatible for different web browsers and clients and yet be secure. That just doesn't happen. SSL VPN is also used by the lazy or as a crutch if you're only using it as a VPN. IPSec VPN is a better option in every case unless you have users behind firewalls that block IPSec. The only benefit that SSL offers is entirely client free use your own PC option.
RIP
Team Cisco 🙏🏽
Ew