Critical Vulnerabilities Discovered in Palo Alto Networks Firewalls: Risks in Firmware and Secure Boot

A recent analysis conducted by Eclypsium has identified significant vulnerabilities in the firmware of three models of firewalls from Palo Alto Networks: PA-3260, PA-1410, and PA-415. These gaps, grouped under the name PANdora’s Box, reveal poorly implemented security configurations and significant risks in devices designed to protect enterprise networks.

Identified Failures: A Concerning Landscape

The report notes that these vulnerabilities are neither unknown nor emerging, but rather well-documented issues that should not be present in high-end security devices. The main gaps include:

1. BootHole (CVE-2020-10713): A buffer overflow vulnerability that allows bypassing secure boot on Linux systems with this function enabled. It affects all three analyzed models.
2. UEFI Firmware Vulnerabilities (CVE-2022-24030 and others): In the PA-3260, these flaws in System Management Mode (SMM) allow privilege escalation and bypassing secure boot.
3. LogoFAIL: Critical flaws in UEFI firmware image parsing libraries that affect the PA-3260, enabling malicious code execution during system startup.
4. PixieFail: Breaches in the TCPTCP (Transmission Control Protocol) is a transport layer…/IP stack integrated into the UEFI firmware, present in the PA-1410 and PA-415 models, that facilitate code execution and information leakage.
5. Insecure Flash Access Control: Poor configuration in the SPI flash controls of the PA-415 that allows direct manipulation of the UEFI firmware and bypassing security mechanisms.
6. CVE-2023-1017: An out-of-bounds write vulnerability in the specification of the Trusted Platform Module (TPM) 2.0, affecting the PA-415.
7. Bypass of Intel Bootguard Keys: Detected in the PA-1410, this vulnerability allows bypassing critical secure boot protections.

These issues can compromise the integrity of networks protected by these devices, opening the door to advanced attacks that exploit the very tools designed to protect them.

Affected Models and Their Current Status

The analysis included three firewall models:

• PA-3260: Reached the end of its sales cycle in August 2023, but is likely still in use in many organizations.
• PA-1410 and PA-415: These are active and fully supported platforms used in enterprise environments to protect critical networks.

Implications and Risks

Eclypsium’s research underscores a troubling fact: even devices specifically designed to protect systems can become attack vectors if not properly updated and configured. These gaps allow attackers to compromise essential functions like secure boot and manipulate device firmware, making intrusion detection difficult and leaving organizations exposed to sophisticated attacks.

Recommendations to Mitigate Risks

Eclypsium urges organizations to adopt a comprehensive approach to securing their infrastructure. Key recommended measures include:

• Security Audits: Conduct periodic assessments of devices and their configurations to identify potential vulnerabilities.
• Firmware Updates: Ensure that all devices are running the latest software versions that include security patches.
• Continuous Monitoring: Implement tools that detect unauthorized modifications to firmware or abnormal behaviors in devices.
• Supply Chain Review: Rigorously evaluate the security of vendors before acquiring technological solutions.

Reflections on Security in Critical Devices

This discovery highlights a disturbing truth: security is not a static state but a continuous process. Organizations cannot assume that security devices are free from flaws. On the contrary, they should consider them a critical component requiring ongoing attention.

As malicious actors develop more sophisticated tactics, protecting security infrastructure must become a strategic priority for businesses. By proactively addressing these vulnerabilities, organizations can significantly reduce risks and better protect their data and networks against increasingly advanced threats.

via: Security News