Twitter | Search | |
Kevin Beaumont
If you ever wanted an Remote Code Execution exploit for Palo-Alto GlobalProtect (VPN solution presented to internet by design), somebody made one which spawns a webshell, used it to hack Uber.
Reply Retweet Like More
Kevin Beaumont 18 Jul 19
Replying to @GossiTheDog
This vuln has no CVE, so it looks like Palo-Alto tried to silently fix it. It's actually a really serious bug, there's a LOT of big orgs exposed to this.
Reply Retweet Like
Kevin Beaumont 18 Jul 19
Replying to @GossiTheDog
GlobalProtect runs on same box as Palo-Alto firewall, so you end up owning the internet gateway + firewall rules in an end to end encrypted session. Woops. PA probably want to tell customers to upgrade.
Reply Retweet Like
Kevin Beaumont 18 Jul 19
Replying to @GossiTheDog
Palo-Alto have dropped a massive bollock here, they didn't assign a CVE and didn't tell people it appears - result is thousands of major companies are still vulnerable to a format string (!) vulnerability which looks like it belongs in 1997 on their internet gateways.
Reply Retweet Like
Kevin Beaumont 18 Jul 19
Replying to @GossiTheDog
Palo-Alto have now created a security bulletin for this and requested a CVE (cve-2019-1579 pending assigning). The issue is over a year old and absolutely critical as a 100% reliable preauth RCE VPN exploit using format strings, highly recommend you patch.
Reply Retweet Like
Random Robbie 18 Jul 19
Replying to @GossiTheDog
not managed to get this working yet
Reply Retweet Like
Kevin Beaumont 18 Jul 19
Replying to @Random_Robbie
it will need tweaking, the different versions behave differently
Reply Retweet Like
Andrew 18 Jul 19
Replying to @GossiTheDog
its funny, cause my org switched to global protect a few weeks ago and I noticed some odd things happening on my network when working from home - some obvious signs of vulnerability. I didn't investigate as I had too much work on, but now I wish I had...
Reply Retweet Like
PeterC 20 Jul 19
Replying to @DrAndrewR @GossiTheDog
this vulnerability was patched a year ago. If your org hasn’t updated their PAN-OS version since then, yes big trouble. We don’t have any customers running code this old, unpatched. It would be malpractice.
Reply Retweet Like
MrMDHaynes 🚀 18 Jul 19
Replying to @GossiTheDog
Due to difficulty detecting vulnerable devices a potential indicator is an increase in process crashes. You are almost certainly going to see an increase of scanners focused towards your exposed PA VPN appliances.
Reply Retweet Like
pry - Ben Bidmead 21 Jul 19
waddup?
Reply Retweet Like