Security vendor stirs controversy using undisclosed flaw for months – Security – Networking

Nancy J. Delong

The expose of a vital vulnerability, rated as nine.eight out of 10, impacting Palo Alto Networks firewall appliances with the GlobalProtect Portal VPN enabled, is building controversy in the stability marketplace as it seems a single seller utilized it for close to a calendar year for “Red Staff” penetration testing just before disclosing it to the seller.

Protection seller Randori made a doing the job exploit for the CVE-2021-3064 flaw that has an effect on many variations of PAN-OS that runs the firewalls in problem, leaving above 10,000 of the world-wide-web-dealing with units uncovered to exploitation by attackers.

Randori suggests it started out investigating the GlobalProtect Portal VPN in October past calendar year, and uncovered a buffer overflow bug and a technique of bypassing validations by an external web server named HTTP smuggling.

In December 2020, Randori suggests it commenced “authorised use of the vulnerability chain” as component of its automatic Red Staff attack platform.

It wasn’t until eventually September and October this calendar year, nevertheless, that Randori disclosed the buffer overflow and HTTP smuggling bugs to Palo Alto Networks, which assigned a Frequent Vulnerabilities and Exposures identifier to the flaws.

Palo Alto Networks issued patches the following thirty day period, but Randori has still to clarify why it took some nine months to report the vulnerabilities to the seller.

The infosec community was at first appalled at the long time period of time just before Randori disclosed the vulnerability to Palo Alto Networks, questioning the ethics of doing so although using the flaw as component of its Red Staff consultancy.

It now seems that Palo Alto Networks fixed the bug quietly in September past calendar year but irrespective of whether or not that was intentional is not apparent.

Palo Alto Networks has not still spelled out why it assigned a CVE only this calendar year to the bug, and issued official patches for it.

Next Post

Aussies less trusting with data in wake of Covid-19 - Strategy - Security - Software

Australians have develop into much less trusting of how governments and businesses use their facts given that the arrival of the pandemic and QR code check-in apps. New investigation from the Australian Nationwide University reveals facts privacy have faith in in important entities fell from an regular of 5.70 out […]