Vulnerabilities in Palo Alto Firewalls Exposed

Introduction

A comprehensive evaluation of three firewall models from Palo Alto Networks has revealed a multitude of known security flaws impacting the devices’ firmware as well as misconfigured security features.

The Vulnerabilities

Security vendor Eclypsium stated that the identified vulnerabilities, collectively named PANdora’s Box, include:

• CVE-2020-10713, aka BootHole (Affects PA-3260, PA-1410, and PA-415), refers to a buffer overflow vulnerability that allows for a Secure Boot bypass on Linux systems with the feature enabled.
• CVE-2022-24030, CVE-2021-33627, CVE-2021-42060, CVE-2021-42554, CVE-2021-43323, and CVE-2021-45970 (Affects PA-3260), which refers to a set of System Management Mode (SMM) vulnerabilities affecting Insyde Software’s InsydeH2O UEFI firmware that could lead to privilege escalation and Secure Boot bypass.
• LogoFAIL (Affects PA-3260), which refers to a set of critical vulnerabilities discovered in the Unified Extensible Firmware Interface (UEFI) code that exploit flaws in image parsing libraries embedded in the firmware to bypass Secure Boot and execute malicious code during system startup.
• PixieFail (Affects PA-1410 and PA-415), which refers to a set of vulnerabilities in the TCP/IP network protocol stack incorporated in the UEFI reference implementation that could lead to code execution and information disclosure.
• Insecure flash access control vulnerability (Affects PA-415), which refers to a case of misconfigured SPI flash access controls that could permit an attacker to modify UEFI directly and bypass other security mechanisms.
• CVE-2023-1017 (Affects PA-415), which refers to an out-of-bounds write vulnerability in the Trusted Platform Module (TPM) 2.0 reference library specification.
• Intel bootguard leaked keys bypass (Affects PA-1410)

Conclusion

These findings underscore a critical truth: even devices designed to protect can become vectors for attack if not properly secured and maintained. Organizations must adopt a more comprehensive approach to supply chain security, including rigorous vendor assessments, regular firmware updates, and continuous device integrity monitoring. By understanding and addressing these hidden vulnerabilities, organizations can better protect their networks and data from sophisticated attacks that exploit the very tools meant to safeguard them.

Recommended Actions

• Adopt a more comprehensive approach to supply chain security
• Conduct rigorous vendor assessments
• Regularly update firmware
• Continuously monitor device integrity

Stay Informed

Follow us on Twitter and LinkedIn to read more exclusive content we post.