Analysis Summary

An evaluation by researchers uncovered several security flaws in three Palo Alto Networks firewall models—PA-3260, PA-1410, and PA-415—highlighting vulnerabilities in the firmware and misconfigured security features. Dubbed "PANdora's Box," the identified issues could allow attackers to bypass integrity protections, such as Secure Boot, and execute malicious firmware modifications.

The vulnerabilities include:

1. CVE-2020-10713 (BootHole): Affects all three models, allowing Secure Boot bypass on Linux systems.
2. Multiple SMM vulnerabilities: Found in PA-3260’s InsydeH2O UEFI firmware, enabling privilege escalation and Secure Boot bypass.
3. LogoFAIL: Affects PA-3260, exploiting image parsing flaws in UEFI code to bypass Secure Boot and execute malicious code.
4. PixieFail: Targets PA-1410 and PA-415, exploiting vulnerabilities in the UEFI TCP/IP stack for code execution and information disclosure.
5. Insecure flash access control: Affects PA-415, enabling UEFI modification by attackers.
6. CVE-2023-1017: An out-of-bounds write vulnerability in TPM 2.0 impacting PA-415.
7. Intel BootGuard key bypass: Affects PA-1410.

The PA-3260 reached end-of-sale in August 2023, while the PA-1410 and PA-415 remain supported. Exploitation of these vulnerabilities typically requires prior compromise of PAN-OS software to gain elevated privileges.

Researchers stressed that these vulnerabilities demonstrate the risks of unpatched security appliances and urged organizations to conduct rigorous vendor assessments, apply regular firmware updates, and monitor device integrity. They emphasized the importance of securing supply chains to counteract threats targeting security appliances.

Palo Alto Networks acknowledged the findings but clarified that successful exploitation scenarios do not exist under normal conditions with up-to-date PAN-OS software and secured management interfaces. The company stated it is unaware of any malicious exploitation of these vulnerabilities and is working with third-party vendors to develop firmware updates for affected systems, particularly the PA-3200, PA-5200, and PA-7200 series with SMC-B installed.

To mitigate risk, Palo Alto Networks recommends upgrading to the latest PAN-OS software and adhering to best practices for securing management interfaces. Further updates and guidance will be shared with impacted customers.

Impact

• Security Bypass
• Privilege Escalation
• Remote Code Execution
• Unauthorized Gain Access
• Sensitive Information Disclosure

Indicators of Compromise

CVE

• CVE-2020-10713

• CVE-2021-33627

• CVE-2021-42060

• CVE-2021-42554

• CVE-2021-43323

• CVE-2021-45970

• CVE-2022-24030

• CVE-2023-40238

• CVE-2023-1017

• CVE-2023-45229

• CVE-2023-45230

• CVE-2023-45231

• CVE-2023-45232

• CVE-2023-45233

• CVE-2023-45234

• CVE-2023-45235

• CVE-2023-45236

• CVE-2023-45237

Affected Vendors

Remediation

• Refer to Palo Alto Networks Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.