Palo Alto: Vulnerabilities in firewall firmware and bootloaders
The firmware and bootloaders of some Palo Alto firewalls have security leaks that allow attackers to infiltrate after attacks.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There are security gaps in the firmwares and bootloaders of Palo Alto Networks hardware appliances. The manufacturer reassures that these gaps are hardly exploitable, but is working on corrected firmwares and bootloaders.
In Palo Alto's security announcement, the company's developers explain that it is aware of “allegations of multiple vulnerabilities in hardware device firmware and bootloaders as part of our PA series of (hardware) firewalls”. “It is not possible for malicious actors or PAN-OS administrators to exploit these vulnerabilities under normal conditions in PAN-OS versions with up-to-date, secured management interfaces set up according to best practices,” they continue.
Older vulnerabilities in firmware and bootloaders
Users and admins would not have access to the BIOS firmware or the rights to change it. Attackers would have to compromise the system and ultimately gain Linux root rights to abuse the vulnerabilities. The vulnerabilities were discovered by IT security firm Eclypsium, which notes somewhat ironically: “Fortunately for attackers (and unfortunately for defenders), gaining root privileges on Palo Alto PAN-OS devices is possible by combining exploits for two vulnerabilities, CVE-2024-0012 and CVE-2024-9474.” — At the end of November, more than 2000 Palo Alto devices worldwide were cracked as a result.
Videos by heise
The security bulletin lists several older vulnerabilities to which some specific device series examined are susceptible. These include the vulnerability known as BootHole, which became known in 2020 and, due to errors in the Grub2 bootloader, allows attackers to hack into the boot process and inject virtually invisible malware despite Secure Boot.
The individual security leaks particularly affect devices from the PA-3200, PA-5200 and PA-7000 series, which are equipped with a Switch Management Card (SMC-B). Other products and series, such as Cloud-NGFW, PAN-OS CN, PAN-OS VM and Prisma Access, are not vulnerable. Palo Alto is also not aware of any attacks on these vulnerabilities in the wild. The company is working with third-party providers to develop firmware updates that “may be necessary”. To reduce the risk of misuse, the appliances should be updated to the latest PAN-OS version. It also recommends restricting access to the management interface to trusted internal IPs, as recommended by the best practices guidelines.
(dmk)
