- Palo Alto Networks says it is aware of claims about flaws in the firewalls
- The company advises users to exercise extra caution and tighten security
- A patch will be deployed once more details about the bug are found
Palo Alto Networks has revealed that it recently became aware of a suspected vulnerability in its firewall offering that could allow threat actors to remotely execute malicious code.
Because it doesn’t know the details of the flaw and hasn’t seen any evidence of exploitation in the wild, the company says it doesn’t have a patch ready yet, but that it was “aware of a claim” of a vulnerability at executing remote code in the PAN-OS management interface and as a result has started actively monitoring for signs of abuse.
In the meantime, Palo Alto Networks has advised its users to exercise extra caution, noting: “At this time, we believe that devices whose access to the management interface is not secured according to our recommended best practice implementation guidelines are at increased risk. ”
Alleviate the problem
“In particular, we recommend ensuring that the management interface is only accessed from trusted internal IP addresses and not from the Internet. The vast majority of firewalls already follow these Palo Alto Networks and industry best practices,” the company said.
BleepingComputer found a separate document on the Palo Alto Networks community website, with additional information about securing the firewalls:
- Isolate the management interface to a dedicated management VLAN.
- Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging into the firewall/Panorama.
- Restrict incoming IP addresses to your mgt interface to approved management devices. This reduces the attack surface by preventing access from unexpected IP addresses and preventing access using stolen credentials.
- Only allow secure communication such as SSH, HTTPS.
- Allow PING only for testing connectivity to the interface.
At the moment, Cortex Xpanse and Cortex XSIAM users appear to be the most vulnerable. Prisma Access and cloud NGFW are most likely not affected.
Via BleepingComputer