why are more people not talking about this?
Vložit
- čas přidán 13. 06. 2024
- A critical 10/10 vulnerability has been found in Palo Alto's firewalls, but how important is it really? Check it out in this video.
security.paloaltonetworks.com...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - Věda a technologie
I changed my wifi network names to my credit card and banking details, preventing the need for being hacked to enter my network entirely! #science
🧠🧠 Ohio level IQ moment
brilliance
I think your sentence is reversed. It sounds like you meant to say "to prevent the need to enter my network to steal my card" ;)
@@MyAmazingUsername I didnt understand anything of that comment, can you please explain what he meant to say?
@@NachitenRemix Putting his credit card number as wifi name to save the hacker's time. 💀
wonder why so many exploit and bugs have been found in such short time, perhaps the linux exploit raised the auditing level to overdrive?
Not a bad thing imo, better than them being found by bad actors first
AI tools are finding them.
@@ianvecmanis5642 lol not today, not today
@@ianvecmanis5642 from what i've seen the AI tools currently most of the time just point to pointless stuff and lead to clutter in bugtracker
@@ianvecmanis5642 Ain't no way.
This issue somehow related to a "telemetry" feature looks like a disguised backdoor to me, don't know why
like the robot bees in Black Mirror
is it just the me or have there been an insane amount of vulnerabilities in the last couple weeks/months?
ps: love the idea of a what-if-they-used-rust-o-meter lmao
It's not necessarily more, but the impact of the vulnerabilities seems to be higher...
I believe this is because we have more cybersecurity specialists than ever before, and there are many more devices and features that involve an internet connection
It's just you. Stop projecting.
It's not just you
@@31redorange08 not trying to project. i have been more interested in this topic lately, so idk if this was simply content algorithms (over)doing their job
A firewall with telemetry??? This sounds like an April fools' vulnerability but I'm afraid it's not. And they have the nerve to tell customers to switch telemetry back on once this fiasco has been fixed. Incredible.
The funniest part of the whole video
That’s why we make our own!
Asking the users to turn telemetry back on is the icing on the cake. Why would a company want to keep a feature enabled that 1. Isn’t useful to them, 2. Had previous vulnerabilities? It seems pretty dumb.
Telemetry is replacing snmp? Which have been around in network proucts forever
Telemetry...with root privilege
device telemetry...
... do I have to be that guy?
thats where the NSA and Mossad get in through the backdoor
@@yeetyeet7070 based noticer
telemetry is an opt-in feature for Palo Alto firewalls. But yeah, I share your concerns.
Damn, NSA is taking a lot of losses recently.
I'm afraid they're probably discovering new exploits faster than their existing ones are getting fixed.
All kinds of backdoors being discovered.
I'm pretty sure in this case it's telemetry for the local admins. Having your firewall phone home (and open extra ports because of it) sounds like the dumbest idea ever.
it's for a feature called AiOps to do best practice assessments and collect system utilization of many firewalls on a cloud based platform
i saw about this exploit and was like why is there no coverage on it, but then i realised that it was literally out of the over so fresh that not many people had covered. glad you dropped this video
This is turning out to be the year of vulnerabilities
Just wait for next year, you haven`t seen anything yet ^^
I say that every year
I'm relatively new to this channel but absolutely love the balance of detail and brevity. It may just be a perfect mix for my knowledge level but it's incredibly valuable. 🎉 Thank you!
All the firewall vulnerabilities I've seen have been for attacks on the management plane/OS of the firewall. I have not heard of an attack that is able to circumvent the firewall directly. I'd love to know if anyone else has heard of one.
No because direct circumvention is an oxymoron
Putting this everywhere since the video is a few days old. GlobalProtect is a, really annoying, VPN. Meaning the firewall itself is a server with a port open to the internet.
I really love the would-rust-have-fixed-this-meter. That sounds like a great idea!
This video made me remember to turn on and configure my firewall. I turned off my firewall half a year ago because of kde connect and forgot about it.
Been here for a while and really enjoying your videos, keep it up :)
Reminds me of the 2019 cve for netscaler and how every body thought they didnt need additional firewalls.
This CVE took my entire morning!
Very good concise explanation good for young folks starting out!
Can't get firewall hacked if you don't use a firewall. * _taps head_ *
What would have helped is data tagging to spot a lack of sanitization. Tools like Coverity would have flagged this.
Of course, another thing that would have helped is a focus on simplicity. Every feature added is a potential attack surface. Security products that we pay a lot for are sort of oxymorons, Palo Alto Networks is no exception. For the companies to survive, they must constantly add a steady drip of features that their largest customers ask of them, sometimes even just one large customer. And this is a steady drip of increasing attack surface.
The best development pattern for something like a firewall core is a fixed mission with low feature creep from a reputable, steadily funded team. Something like OpenBSD.
Agreed on the "one thing" part. GlobalProtect is a VPN feature. At the least, it should be containerized compared to the rest of the firewall.
So we have a closed source OS with telemetry, that has a root code execution vulnerability in a device whose role it is to literally monitor the entire network traffic 24/7. Coolio
You forgot, GlobalProtect is the VPN built into the firewall, so that's an external port open to the world. Oh, and the firewall is designed to and often used to MITM secure traffic on corporate networks...
This one is used by like every big manufacturing and tech company. I wonder who has been sipping the secrets away.
Love these videos!
It is worth pointing out although they say Firewall, the issue appears to be when the VPN Endpoint and Telemetry are enabled.
Because they have signatures for it, that hints at the firewall aspect is not the issue, but probably based around the authentication of remote users.
As I am a long tooth to me a firewall is a firewall and should not be having other modules shoehorned in, as Citrix NetScalers seem to have exponentially more advisories when they are acting as a VPN endpoint
A painful VPN at that. The worst part is I'm pretty sure, for some companies, the second choice from GlobalProtect is to use the NetScaler boxes...
I have a PanOS in my home network, will need to check the version when I get home
Ah *Telemetry* i always knew this is a PLANNED backdoor into every software, i disabled mine in Windows
I did the same thing by switching to Arch Linux
I don't think you can fully disable telemetry in Windows
@@adamk.7177 Can't afford that move right now
@@adamk.7177btw
@@zokalyx yes, windows still collect info, mostly about errors
People acting like day zeroes don't exist in multiples right now(as they always have) . They just haven't been found yet by the "good guys."
"...firewalls are just code, just software on the firewall written by humans..." Well, probably, and hopefully for a long time going forward.
I don't see corporate network admins looking over this and saying, "oh, we'll leave this enabled" while configuring their stuff, so I hope that lessens the impact
I don’t understand if this is for all firewalls or just this pan-os and if this is for Linux in general?
Even though I don't have any issues with Palo Alto, and they have a super valid usage of telemetry, just being able to say the sentence "There's a command injection in their telemetry" gives me catharsis.
I was not expecting this to be about palo alto. Dam.
will we ever be able to write code without vulnerabilities?
I feel like its a matter of time before something fundamental gets exploited and harms everything.
Nope. It's impossible to avoid vulnerabilities and bugs at some point no matter how perfect code you write. We are humans after all.
It's hard to identify whether one has vulnerability against something.
@@ishanjaiswal9041 forget nuclear war. i wonder if the internets vulnerabilities themselves are a ticking timebomb, waiting for someone clever and malicious enough to deal catastrophic damage
In a video awhile ago you recommended a website that taught about mostly Linux C-style memory exploits. I forget the name currently.
Given that memory safety is the new thing is there any point of really grinding that out now? It's going through like buffer overflows, exploiting the stack or function address table... Etc. seems like that will be outdated?
The XZ situation really is having some ripples, huh? Another vulnerability found in such a short time.
is any rust course coming soon to the academy ?
There . . i was waiting for this.. but then.. i got no Palo-Alto FW ..
does this bleed through into other FW applications
Ahh yes.. a "bug" in the telemetry service, of course
So... I think there is a common theme here where a category of security issues arise from not tracking the source of data, and requiring data from untrusted sources to be sanitised before it can be passed on to a potentially scary sink. Rust's ownership model provides one possible tool for this. I think Perl used to have a system for tracking tainted data. There are solutions to this problem that can be enforced mechanically. But the lowest level APIs tend not to do this, and of course, those are the ones most people will hit.
How ro know if my firewall data has sent to attacker or not? I see some output for grep command.😮
Can it RCE with root because the firewall is running as root?
Is it possible to show the vulnerability in the sourcd code? I feel like without explaining how it got introduced and what should be done instead... I am not learning anything for me.
Business as usual 😊
Most of the network devices use old kernels and old software stack, so it is buggy.
I want to know what an 11/10 vulnerability looks like
The same, but in something safety-critical. For instance in Industry.
One that makes a poweplant go poof
It would be a vulnerability, which is unable to be patched just by code alone.
@@Sypakasoftware, firmware, microcode, and chip. A chip level defect is the worst, especially if it is a kind that cannot be mitigated by microcode or other patch.
Part of me makes me wonder, is this actually a bug, or did someone just find their backdoor which is part of their telemetry?
Welp this one is huge. I wonder how long it has been exploited for.
Why didn't they wait until a patch was available to release the info about the vulnerability? With a lot of software things are like here is a vulnerability and here is the patch. With open source projects you can later see emails about the vulnerability dated way before the disclosure date.
Because there are workarounds. Disable telemetry, enable the specific threat ID in the Vulnerability profile, etc
Palos also use Redis and MongoDB
Never heard of Palo Alto firewalls, I used only ipfw, ipf, pf and iptables.
Perhaps the garbage telemetry was the way in.
damn, we are getting new bugs on a daily basis,
a bug a day keeps the your personal data on fire.
they're FINDING them on a daily basis, you always had them though, they just went unnoticed longer
that can only be fixed by not even being turing complete to begin with, aka, don't ever have command as input.
If a firewall inspects packets, then is it theoretically possible that a firewall gets exploited because they parsed/inspected a certain malicious packet?
I mean in principle 🤔
i feel like finding out about all of these these volnitabilitues all the time is going to give me some sort of depression at some point
P. S. I mean, when you learn that one thing became not safe, another one did and you need to update it in the future, and so on. Like, nothing feels secure
And I thought there was a netfilter issue or pf even.
Honestly, same. I was about to go see if my distro had a patch/update, when im like lets just watch the first few minutes and check, so glad it's not netfilter/iptables.
@@fenix849 Haven't switched to nft yet? It's really good! I just hate that you can't remove iptables on every distro yet. One of the reasons why I switched to OpenBSD. Though their pf is shit. Don't let them fool you. It's completely backwards.
Anyway, about nftables. If you switch, unlike pf, where you have to pretend it's iptables, in nft you have to think in ipv4 and ipv6, not in tables. Make one table for each and that's it, otherwise you can't use your sets in nat and filter at the same time.
The reason RUST's bug doesn't really feel like a 10/10 bug is because the prolem is not an issue that even should be fixed by the language you use.
There's so many bots/spammers ._.
was this a bug..... or a feature? :)
I like telemetry... Sooo much winning 😂
So, they had a backdoor that they put their on purpose and someone other than them found it. That is the only conclusion i can get from this coming from telemetry
iptables baby
When a collab with John Hammond?
They deserve this for inventing prisma cloud
Quick boys! New vulnerability just dropped!
"Oh whoops how careless we left a 'debugging feature' enabled which allowed remote code execution" said yet another network appliance/firewall/switch manufacturer
Rust would probably not have solved this, but it could if the vulnerability comes from usage of something as dumb as PHP system(), or something else which sends commands to the shell instead of directly to input arguments of a program.
The only firewall I trust is iptables. Though the rules are not that easy to write, it takes only a few pieces of data from incoming packets. Parsing application layer stuff should be done by the program dealing with the traffic AND without root permissions. Complex listeners with way too much useless automation have been proven dangerous countless times.
something might just peddle through - with or without iptables..
Next: CVE in iptables by a backdoor using some wierd ass obscure lib
The problem is that firewalls on a host are not that easy to configure on a large scale, also doesn't support rules based on DNS, no real threat intelligence.
Imagine running remote applications on a firewall...
It is like they want to get hacked..
Like really?
Firewall should have NO services,
NO local connections out to the network(s) at all besides the needed for getting network conffig from ISP.
Pref not even that.
A static config is pref to avoid MitM exploits.
It should only bee filtering the network traffic and nothing else..
inb4 it was Rust all along
Is the vulnerability in firewalld ? That's what I use.
Can you please do a video on golang?
500k!
*another* Palo Alto vulnerability? Deja vu...
Good old telemetry to bite you in the backside.
Little added info from him, just reading what is there - not really enjoying this but maybe there is a future video that explains more indepth things.
Use two different firewalls so If it passes one there is another!
I had a thought during the week. That is you cannot just go and buy security. Companies sell the feeling of security but it's best effort and no guarantees that what you are buying isn't riddled with security vulnerabilities. I like the way QubesOS describes themselves as a reasonably secure OS. We can always do better and will never be secure. It's all about making attackers jobs harder.
What Rust doesn't fix is dangerous
I want to learn rust but I have no idea about memory management and rust has high learnig carve but I know python.
Once again, a telemetry is the root cause of all evil.
I'm really searching for this. ❤❤
Great work bro 👏
It was fine. As long as excel.exe don't get out.
vulnerability in device telemetry. lol
Yay
Not again...
Indeed, software is software, software is buggy and therefore, software will have a vulnerability somewhere, so even Palo Alto isnt invulnerable (sorry) to issues like these
0day in a .... telemetry....
Rust is just cpp if the compiler was a total Karen
Rust, exploited rust?
Palo alto, cisco, fortinet all get exploited all the time. Nothing new imo
Hey man you should get some more light on your face and lower the ISO, it'll look better!
POTUS sponsored rust-o-meter lol
You only need a very few rules of thumb to prevent this kind of vulnerability.
(1) Don't run code as root if it isn't totally necessary.
(2) Don't read in arbitrary amounts of data.
(3) Check incoming data for plausibility.
(4) Check incoming data for escape sequences and delimiters and delete or ignore such data.
(5) Don't stuff incoming data into a system command that you run.
(6) Use all the length-limited string functions, the ones with a "n" in them, with the right n limit.
(7) Check each and every use of an array to ensure no index gets out of bounds.
(8) Check each pointer to ensure it's not null or some wild value.
Unplugging the server and ups from the wall also provides perfect security except for cases of physical access. I do agree with most of what you say to be fair.
I don't give a fuck how popular they are why tthe fuck is telemetry on by default?! This isn't fucking Windows, this is my god damn firewall, I haven't even gotten to the point where I need a standalone firewall, but if they're phoning home by default they can kiss me as a customer goodbye
So the Indian Tech Support Scammers were right, I DID need a new firewall.
Soooo. What are the other firewalls affected? Is that not what is alluded to with the title of the video? Other than the paloalto os', I didn't see any others listed...
Frankly I'm not surprised, screw Palo Alto. PA is so outdated and behind the current technologies and quality of life for their Network Security Engineers.
Cisco and Checkpoint all the way!
I've seen some people diss telemetry, but in some cases it can be a really great tool. Telemetry doesn't always mean someone selling your data to ad companies.
In this case, off the top of my head, that telemetry can be used to identify ongoing attempts to bypass security. Then because of telemetry, they can see it happen across the entire US and send out an advisory.
Or it can be used to identify behaviour in the past that may have been indicative of a hack in situations where a 0 day with a specific signature is discovered.
it might have a different name ?
sharing IDS logs ?
Mmm... It makes me wonder, because telemetry in the windows sense would not provide an open port on the unsafe side of the firewall... It'd just connect directly to Palo Alto's servers and not provide an angle for arbitrary remote bad actors to get in.
So this means it is either meant for the net admins to access data on their firewall remotely (which if you have any real security needs you should disable that and make it accessible LAN-side or VPN-side only), or... It's a backdoor for Palo Alto to use to get in, which might have a legitimate business use (helping unskilled admins configure their firewall), but it's also something any good admin who has half a clue what they're doing should turn off, specifically because of how much it increases your attack surface. Either of these are pretty similar to just allowing remote logins on a direct connection. Now, it's been a while since I used Palo Alto, so I don't remember if their firewalls had such features off the top of my head, but I know for sure the secure environment I was working in would have them disabled. But not every business *needs* a rigid security posture... And a lot will readily compromise security for ease of use, like... Paying Palo Alto themselves to configure a fire wall instead of paying an ongoing employee with enough skill to do more than the most basic daily admin tasks themselves.
I've actually worked at a place that was *frustrated* by me having a similar skill level to the people on the expensive remote management contract they were paying for, and I got dressed down for fixing things myself instead of calling them and twiddling my thumbs while on hold.
@@psiah9889It’s becoming increasingly more prevalent to see people not being allowed to work on the things that they have for their own organization. We go through the same thing here and it’s so frustrating knowing we can fix it, yet we’re on a multiple day wait for the company to get back with us to fix something
It should not be enabled on a firewall. A firewall is a device where security is very important, so minimizing the attack surface of the software running on it is important. Telemetry is a part of the application that is interacts with the network, which increases the attack surface and potential for vulnerabilities. Telemetry is not the same thing as logging and isn't necessary.
"But, can your firewall get hacked?" Let's see...is your firewall a piece of software written using libraries that may or may not have vulnerabilities that can be exploited by hackers? If the answer is "Yes" then yes, your firewall can get hacked. Essentially, any piece of code that allows for - by whatever means - the reading and processing of data, is a target for hackers.
AGAIN?