Palo Alto Networks warns users of dangerous security threat affecting firewalls

The best free firewall
(Image credit: Shutterstock)

  • Palo Alto Networks says it's aware of claims of flaws in the firewalls
  • Company is advising users to be extra cautious and tighten up on security
  • A patch will be deployed when more details about the bug are found

Palo Alto Networks has revealed it was recently made aware of an alleged vulnerability in its firewall offering which could allow threat actors to remotely execute malicious code.

Since it doesn’t know the details of the flaw, and is yet to see any evidence of in-the-wild abuse, the company says it doesn’t have a patch lined up just yet, but said it was “aware of a claim” of a remote code execution vulnerability in the PAN-OS management interface and has, as a result, started actively monitoring for signs of exploitation.

In the meantime, Palo Alto Networks has advised its users to be extra cautious, noting: “At this time we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk."

Mitigating the problem

“In particular, we recommend that you ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice,” the company added.

BleepingComputer found a separate document on Palo Alto Networks' community website, with additional information on how to secure the firewalls:

  • Isolate the management interface on a dedicated management VLAN.
  • Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama.
  • Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevents access using stolen credentials.
  • Only permit secured communication such as SSH, HTTPS.
  • Only allow PING for testing connectivity to the interface.

At the moment, Cortex Xpanse and Cortex XSIAM users seem to be the most vulnerable ones. Prisma Access and cloud NGFW are most likely not affected.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.