A comprehensive evaluation of three firewall models from Palo Alto Networks found numerous known security flaws affecting the devices’ firmware as well as misconfigured security features.
“These were not obscure vulnerabilities in the corner,” security vendor Eclypsium said in a report shared with The Hacker News.
“Instead, these were very well-known issues that we didn’t expect to see even on a consumer-grade laptop. These issues could allow attackers to bypass even the most basic integrity protections, such as Secure Boot, and modify the device’s firmware if used.”
The company said it analyzed three firewalls from Palo Alto Networks, the PA-3260, PA-1410 and PA-415, the first of which officially reached sale ends August 31, 2023. The other two models are fully supported firewall platforms.
A list of detected defects with common names Pandora’s boxis as follows –
- CVE-2020-10713 aka BootHole (affects PA-3260, PA-1410, and PA-415), refers to a buffer overflow vulnerability that allows bypassing Secure Boot on enabled Linux systems
- CVE-2022-24030, CVE-2021-33627, CVE-2021-42060, CVE-2021-42554, CVE-2021-43323, and CVE-2021-45970 (Affects PA-3260) which addresses a set of system management mode (SMM) vulnerabilities that affect the InsydeH2O UEFI Insyde Software firmware and can lead to elevation of privilege and bypassing of secure boot.
- Logo FAIL (Affects PA-3260), which addresses a set of critical vulnerabilities discovered in Unified Extensible Firmware Interface (UEFI) code that exploit flaws in the image parsing libraries built into the firmware to bypass secure boot and execute malicious code during system startup
- PixieFail (Affects PA-1410 and PA-415) which addresses a set of vulnerabilities in the TCP/IP networking protocol stack included in the UEFI reference implementation that could lead to code execution and information disclosure
- Dangerous flash access control vulnerability (Affects PA-415) which addresses the case of misconfigured SPI flash access controls that could allow an attacker to modify UEFI directly and bypass other security mechanisms
- CVE-2023-1017 (Affects PA-415) related to an out-of-bounds write vulnerability in the Trusted Platform Module (TPM) 2.0 reference library specification
- Leaked Intel bootguard bypass keys (Affects PA-1410)
“These findings highlight a critically important truth: even devices designed for protection can become vectors for attack if not properly secured and maintained,” Eclypsium said. “As threat actors continue to target security devices, organizations must take a more holistic approach to supply chain security.”
“This includes careful evaluation of vendors, regular firmware updates and continuous monitoring of device integrity. By understanding and addressing these hidden vulnerabilities, organizations can better protect their networks and data against sophisticated attacks that exploit the very tools they are designed to protect.”
