Jan 23, 2025Ravie LakshmananFirmware Security / Risk
A thorough examination of three firewall designs from Palo Alto Networks has revealed a number of known security flaws that affect the products ‘ device as well as misconfigured safety features.
” These weren’t mysterious, corner-case threats”, security contractor Eclypsium in a statement shared with The Hacker News.
” Instead these were very well-known problems that we wouldn’t expect to see even on a consumer-grade computer. These issues may help attackers to dodge even the most simple dignity protections, such as Secure Boot, and change device bios if exploited”.
]embedded information]
The company said it analyzed three network equipment from Palo Alto Networks, PA-3260, PA-1410, and PA-415, the first of which actually end-of-sale on August 31, 2023. The additional two versions support network channels completely.
The list of identified flaws, cooperatively named PANdora’s Box, is as follows-
- CVE-2020-10713 aka BootHole ( Affects PA-3260, PA-1410, and PA-415 ), refers to a buffer overflow vulnerability that allows for a Secure Boot bypass on Linux systems with the feature enabled
- ( Affects PA-3260 ), which refers to a set of System Management Mode ( SMM) vulnerabilities affecting Insyde Software’s InsydeH2O UEFI firmware that could lead to privilege escalation and Secure Boot bypass
- A group of crucial vulnerabilities were discovered in the Unified Extensible Firmware Interface ( UEFI ) code ( Affects PA-3260 ), which allows users to bypass Secure Boot and execute malicious code when the system is first booted up by executing malicious code.
- ( Affects PA-1410 and PA-415 ), which refers to a number of vulnerabilities in the TCP/IP network protocol stack that could cause code execution and information disclosure in the UEFI reference implementation.
- A case of misconfigured SPI flash access controls that could allow an attacker to modify UEFI directly and bypass other security measures ( Affects PA-415 ) is an unsecure flash access control vulnerability.
- ( Affects PA-415 ), which refers to an out-of-bounds write vulnerability in the Trusted Platform Module ( TPM) 2.0 reference library specification
- bypasses the Intel bootguard’s PA-1410 leaked keys ( Affects ).
These findings “underline a crucial truth: yet products designed to protect may turn into vectors for harm if not properly secured and maintained,” Eclypsium said. Organizations must adopt a more comprehensive approach to provide network security as hazard players continue to target safety equipment.
” This includes comprehensive vendor assessments, standard device updates, and steady device integrity monitoring. Companies can better defend their networks and data from advanced attacks that use the tools that were intended to protect them by understanding and addressing these invisible vulnerabilities.
Update
When Palo Alto Networks reached out for reply, it shared the following speech with The Hacker News-
Our top priority is always our customers ‘ safety. Several recent studies from Eclypsium have been published that point to possible risks that might affect some of our Next Generation Firewall goods.
This ability risk was evaluated by the Palo Alto Networks Product Security Incident Response Team. It determined that the conditions for effective oppression cannot be achieved using current PAN-OS software with secure management interfaces in accordance with best practice recommendations. These problems are not being exploited by Palo Alto Networks. We firmly believe in the reliability and quality of our systems.
Users or administrators of PAN-OS applications are unable to access the conditions necessary to utilize these vulnerabilities, but we are working with the third-party vendor to create any necessary mitigations. As more information becomes available, we’ll give impacted customers additional advice and updates.
In a separate expert, Palo Alto Networks added that in order to exploit the aforementioned flaws, an attacker must first bargain PAN-OS software using alternative means and gain more authority to access or change the BIOS firmware. Additionally, it added that upgrading to the most recent supported types significantly reduces the risk.
However, the company acknowledged it’s working with third-party contractors to develop firmware updates for the six risks flagged in InsydeH2O UEFI device that may be needed for PA-3200 line, PA-5200 set and PA-7200 set with Switch Management Card ( SMC-B) installed.
( The article was updated to reflect Palo Alto Networks ‘ response after publication. )
Found this post exciting? To read more unique information we post, follow us on and Twitter.