Cyber security news for all

More

    Palo Alto Firewalls Exposed to Secure Boot Bypass and Firmware Exploitation

    A meticulous dissection of three distinct firewall models engineered by Palo Alto Networks has revealed a series of entrenched security deficiencies, encompassing vulnerabilities within the firmware and erroneous configurations of protective mechanisms.

    “These weren’t obscure or edge-case susceptibilities,” the cybersecurity firm Eclypsium noted in a detailed briefing shared with The Hacker News.

    “Rather, these were glaringly evident flaws that one would scarcely anticipate even in consumer-grade laptops. Such vulnerabilities could empower adversaries to sidestep fundamental integrity safeguards, like Secure Boot, and tamper with firmware components upon successful exploitation.”

    Eclypsium’s scrutiny focused on three appliances—PA-3260, PA-1410, and PA-415—where the PA-3260 officially reached its end-of-sale milestone on August 31, 2023. The PA-1410 and PA-415, however, remain active, supported models in the firewall lineup.

    The identified vulnerabilities, collectively designated as PANdora’s Box, include the following:

    1. CVE-2020-10713 (BootHole)
      • Affects: PA-3260, PA-1410, and PA-415
      • A buffer overflow vulnerability that enables Secure Boot circumvention on Linux systems equipped with the feature.
    2. System Management Mode (SMM) Vulnerabilities
      • Affects: PA-3260
      • Encompasses CVE-2022-24030, CVE-2021-33627, CVE-2021-42060, CVE-2021-42554, CVE-2021-43323, and CVE-2021-45970.
      • These flaws, tied to Insyde Software’s InsydeH2O UEFI firmware, can facilitate privilege escalation and bypass Secure Boot protections.
    3. LogoFAIL
      • Affects: PA-3260
      • Comprises critical vulnerabilities within UEFI image parsing libraries, enabling attackers to subvert Secure Boot and execute malicious code during system initialization.
    4. PixieFail
      • Affects: PA-1410 and PA-415
      • A cluster of vulnerabilities within the TCP/IP stack of UEFI’s reference implementation, which can lead to unauthorized code execution and sensitive data exposure.
    5. Insecure SPI Flash Access Controls
      • Affects: PA-415
      • Misconfigured SPI flash access permissions could allow adversaries to directly alter UEFI firmware, bypassing existing security countermeasures.
    6. CVE-2023-1017
      • Affects: PA-415
      • An out-of-bounds write vulnerability within the Trusted Platform Module (TPM) 2.0 reference library specification.
    7. Intel BootGuard Key Bypass
      • Affects: PA-1410
      • Exploits leaked cryptographic keys to compromise Intel BootGuard’s integrity safeguards.

    “These revelations amplify a sobering reality: even systems architected for defense can themselves transform into instruments of exploitation if neglected in their security posture,” Eclypsium emphasized.

    The firm stressed that as adversaries increasingly hone their sights on security appliances, organizations must broaden their perspectives on supply chain security.

    This necessitates:

    • Diligent vendor vetting processes.
    • Consistent firmware updates to remediate latent vulnerabilities.
    • Ongoing monitoring to preserve device integrity and mitigate exploitation risks.

    By recognizing and proactively addressing concealed vulnerabilities, enterprises can fortify their digital perimeters and mitigate the threats posed by sophisticated cyber adversaries exploiting the very safeguards designed to defend against them.

    Recent Articles

    Related Stories