Researchers wait 12 months to report vulnerability with severity score of 9.8 out of 10

Approximately 10,000 corporate servers running Palo Alto Networks GlobalProtect VPN are vulnerable to a newly fixed buffer overflow bug with a possible severity rating of 9.8 out of 10.

Randori Security Company said wednesday that he discovered the vulnerability 12 months ago and has since used it mostly privately in his Red Team products, which help customers test their network’s defenses against real-world threats . The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret.

Move sideways

CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow fault that occurs when parsing a user-supplied entry in a fixed-length location on the battery. A proof of concept feat developed by Randori researchers demonstrates the tremendous damage that can result.

“Our team was able to obtain a shell on the affected target, access sensitive configuration data, extract credentials, and so on. “Randori researchers wrote wednesday. “Once an attacker has control of the firewall, he will have visibility into the internal network and will be able to move sideways.”

In recent years, hackers have actively exploited vulnerabilities in a range of corporate firewalls and VPNs such as Citrix, Microsoft and Fortinet, government agencies warned earlier this year. Similar corporate products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, GlobalProtect from Palo Alto Networks could be close to joining the list.

A GlobalProtect portal provides management functions that lock down network endpoints and secure information about available gateways and any available certificates that may be needed to connect to them. The portal also controls the behavior and distribution of GlobalProtect application software to macOS and Windows endpoints.

CVE-2021-3064 only affects versions prior to PAN-OS 8.1.17, where the GlobalProtect VPN is located. Although these versions are over a year old, Randori said data provided by Shodan showed that around 10,000 internet-connected servers were running them (an estimate from an earlier version of the publication put the number at 70,000. ). Independent researcher Kevin Beaumont noted that Shodan’s research he performed indicated that approximately half of all GlobalProtect instances seen by Shodan were vulnerable.

The overflow occurs when the software parses user-supplied input into a fixed-length location on the stack. The buggy code is not accessible from the outside without using what is called HTTP contraband, an exploitation technique that interferes with the way a website processes HTTP request sequences. Vulnerabilities arise when the frontend and backend of a website interpret the limit of an HTTP request differently and the error gets them out of sync.

Confusion is usually the result of code libraries deviating from specification when dealing with both the Content-Length header and the Transfer-Encoding header. During the process, parts of a request may be added to a subsequent request that allows the response of the contraband request to be provided to another user. Request smuggling vulnerabilities are often critical because they allow an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

“A pretty gaping hole”, independent security researcher David Longenecker wrote GlobalProtect bug on Twitter. “And the kind of hole the baddest actors have tapped into just about every remote access product over the past few years.”

Randori said the risk is particularly acute for virtual versions of the vulnerable product as it did not randomization of the address space layout—A security mechanism generally shortened to ASLR designed to greatly reduce the chances of successful exploitation — activated.

“On devices with ASLR enabled (which appears to be the case in most hardware devices), operation is difficult but possible,” Randori researchers wrote. “On virtualized devices (VM series firewalls) operation is considerably easier due to the lack of ASLR and Randori expects public exploits to surface. Randori researchers did not exploit buffer overflow to cause controlled code execution on certain versions of hardware devices with MIPS-based management plane processors due to their big endian architecture, although the overflow is accessible on these devices and can be exploited to limit the availability of services. “

What took you so long?

Randori’s post said company researchers discovered the buffer overflow and HTTP smuggling flaw last November. A few weeks later, the company “began to allow the use of the vulnerability chain as part of the Randori program. continuous and automated red team platform. “

“The Red Team’s tools and techniques, including zero-day exploits, are necessary for the success of our customers and the cybersecurity world as a whole,” Randori CTO David Wolpoff wrote in a communicated. Publish. “However, like any offensive tool, vulnerability information should be treated with care and with due respect. Our mission is to provide a high-value experience for our customers, while recognizing and managing the associated risks. “

Palo Alto Networks has a short article here. In an email, company officials wrote, “The safety of our customers is our top priority. Today’s security advisory resolves a vulnerability that can affect customers using older versions of PAN-OS (8.1.16 and earlier). We took immediate action. to implement mitigation measures. As stated in the security advisory, we are not aware of any malicious attempts to exploit the vulnerability. We strongly encourage the monitoring of best practices to keep systems up to date and thank the researchers for alerting us and sharing their findings.

Any organization that uses the Palo Alto Networks GlobalProtect platform should carefully review the Randori notice and fix vulnerable servers as soon as possible.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *