PANdora’s Box Reveals Firmware Flaws in Palo Alto Firewalls

PANdora's Box Reveals Firmware Flaws in Palo Alto Firewalls

VTA-004505 – “PANdora’s Box Reveals Firmware Flaws in Palo Alto Firewalls

Security researchers have identified multiple critical vulnerabilities in the firmware of three Palo Alto Networks firewall models: PA-3260, PA-1410, and PA-415. These flaws, collectively named “PANdora’s Box,” include Secure Boot bypasses, privilege escalation, and firmware modifications that could allow attackers to gain unauthorized access and control.

Notable vulnerabilities include BootHole, affecting Secure Boot in Linux systems, and a series of Unified Extensible Firmware Interface (UEFI)-based flaws, such as PixieFail and LogoFAIL, which exploit vulnerabilities in image parsing and the TCP/IP network stack. These issues could enable code execution, information disclosure, and the direct modification of the UEFI firmware.

Other weaknesses include insecure flash access controls and a Trusted Platform Module (TPM) vulnerability (CVE-2023-1017) that could lead to privilege escalation and bypasses of Intel Boot Guard.

Researchers emphasized that these vulnerabilities could allow attackers to compromise device integrity, bypass essential security features, and install malicious firmware. Palo Alto Networks has stated that these issues require additional exploitation steps and elevated privileges, mitigating the immediate risk to up-to-date systems configured according to best practices.

Severity:
Medium

Attack Surface:
Endpoint OS, Infrastructure, Supply Chain (Third-party vendors), System Management Service

Tactics:
Defense Evasion, Impact, Privilege Escalation

Techniques:
T1553: Subvert Trust Controls
T1068: Exploitation for Privilege Escalation
T1566: Phishing
T1195: Supply Chain Compromise
T1495: Firmware Corruption

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/67974d952eb8ff339083dbf7

References:
1. https://eclypsium.com/blog/pandoras-box-vulns-in-security-appliances/

SuperPRO’s Threat Countermeasures Procedures:
1. Regularly update to the latest supported versions of PAN-OS firmware.
2. Follow best practices for securing management interfaces and restricting access.
3. Conduct periodic integrity checks on firmware and hardware components.
4. Monitor devices for unusual activity or potential exploitation signs.
5. Use a zero-trust approach to limit the impact of potential breaches.
6. Engage in rigorous supply chain and vendor assessments for firmware and hardware.

Contributed by: Fatini