why are more people not talking about this?
ฝัง
- เผยแพร่เมื่อ 22 พ.ค. 2024
- A critical 10/10 vulnerability has been found in Palo Alto's firewalls, but how important is it really? Check it out in this video.
security.paloaltonetworks.com...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - วิทยาศาสตร์และเทคโนโลยี
I changed my wifi network names to my credit card and banking details, preventing the need for being hacked to enter my network entirely! #science
🧠🧠 Ohio level IQ moment
brilliance
I think your sentence is reversed. It sounds like you meant to say "to prevent the need to enter my network to steal my card" ;)
@@MyAmazingUsername I didnt understand anything of that comment, can you please explain what he meant to say?
@@NachitenRemix Putting his credit card number as wifi name to save the hacker's time. 💀
This issue somehow related to a "telemetry" feature looks like a disguised backdoor to me, don't know why
like the robot bees in Black Mirror
wonder why so many exploit and bugs have been found in such short time, perhaps the linux exploit raised the auditing level to overdrive?
Not a bad thing imo, better than them being found by bad actors first
AI tools are finding them.
@@ianvecmanis5642 lol not today, not today
@@ianvecmanis5642 from what i've seen the AI tools currently most of the time just point to pointless stuff and lead to clutter in bugtracker
@@ianvecmanis5642 Ain't no way.
is it just the me or have there been an insane amount of vulnerabilities in the last couple weeks/months?
ps: love the idea of a what-if-they-used-rust-o-meter lmao
It's not necessarily more, but the impact of the vulnerabilities seems to be higher...
I believe this is because we have more cybersecurity specialists than ever before, and there are many more devices and features that involve an internet connection
It's just you. Stop projecting.
It's not just you
@@31redorange08 not trying to project. i have been more interested in this topic lately, so idk if this was simply content algorithms (over)doing their job
A firewall with telemetry??? This sounds like an April fools' vulnerability but I'm afraid it's not. And they have the nerve to tell customers to switch telemetry back on once this fiasco has been fixed. Incredible.
The funniest part of the whole video
That’s why we make our own!
Asking the users to turn telemetry back on is the icing on the cake. Why would a company want to keep a feature enabled that 1. Isn’t useful to them, 2. Had previous vulnerabilities? It seems pretty dumb.
Telemetry is replacing snmp? Which have been around in network proucts forever
Telemetry...with root privilege
device telemetry...
... do I have to be that guy?
thats where the NSA and Mossad get in through the backdoor
@@yeetyeet7070 based noticer
telemetry is an opt-in feature for Palo Alto firewalls. But yeah, I share your concerns.
Damn, NSA is taking a lot of losses recently.
I'm afraid they're probably discovering new exploits faster than their existing ones are getting fixed.
All kinds of backdoors being discovered.
i saw about this exploit and was like why is there no coverage on it, but then i realised that it was literally out of the over so fresh that not many people had covered. glad you dropped this video
I'm pretty sure in this case it's telemetry for the local admins. Having your firewall phone home (and open extra ports because of it) sounds like the dumbest idea ever.
it's for a feature called AiOps to do best practice assessments and collect system utilization of many firewalls on a cloud based platform
I'm relatively new to this channel but absolutely love the balance of detail and brevity. It may just be a perfect mix for my knowledge level but it's incredibly valuable. 🎉 Thank you!
This is turning out to be the year of vulnerabilities
Just wait for next year, you haven`t seen anything yet ^^
I say that every year
This video made me remember to turn on and configure my firewall. I turned off my firewall half a year ago because of kde connect and forgot about it.
Been here for a while and really enjoying your videos, keep it up :)
All the firewall vulnerabilities I've seen have been for attacks on the management plane/OS of the firewall. I have not heard of an attack that is able to circumvent the firewall directly. I'd love to know if anyone else has heard of one.
No because direct circumvention is an oxymoron
Putting this everywhere since the video is a few days old. GlobalProtect is a, really annoying, VPN. Meaning the firewall itself is a server with a port open to the internet.
I really love the would-rust-have-fixed-this-meter. That sounds like a great idea!
Can't get firewall hacked if you don't use a firewall. * _taps head_ *
Reminds me of the 2019 cve for netscaler and how every body thought they didnt need additional firewalls.
This CVE took my entire morning!
Very good concise explanation good for young folks starting out!
Love these videos!
What would have helped is data tagging to spot a lack of sanitization. Tools like Coverity would have flagged this.
Of course, another thing that would have helped is a focus on simplicity. Every feature added is a potential attack surface. Security products that we pay a lot for are sort of oxymorons, Palo Alto Networks is no exception. For the companies to survive, they must constantly add a steady drip of features that their largest customers ask of them, sometimes even just one large customer. And this is a steady drip of increasing attack surface.
The best development pattern for something like a firewall core is a fixed mission with low feature creep from a reputable, steadily funded team. Something like OpenBSD.
Agreed on the "one thing" part. GlobalProtect is a VPN feature. At the least, it should be containerized compared to the rest of the firewall.
I have a PanOS in my home network, will need to check the version when I get home
So we have a closed source OS with telemetry, that has a root code execution vulnerability in a device whose role it is to literally monitor the entire network traffic 24/7. Coolio
You forgot, GlobalProtect is the VPN built into the firewall, so that's an external port open to the world. Oh, and the firewall is designed to and often used to MITM secure traffic on corporate networks...
This one is used by like every big manufacturing and tech company. I wonder who has been sipping the secrets away.
It is worth pointing out although they say Firewall, the issue appears to be when the VPN Endpoint and Telemetry are enabled.
Because they have signatures for it, that hints at the firewall aspect is not the issue, but probably based around the authentication of remote users.
As I am a long tooth to me a firewall is a firewall and should not be having other modules shoehorned in, as Citrix NetScalers seem to have exponentially more advisories when they are acting as a VPN endpoint
A painful VPN at that. The worst part is I'm pretty sure, for some companies, the second choice from GlobalProtect is to use the NetScaler boxes...
In a video awhile ago you recommended a website that taught about mostly Linux C-style memory exploits. I forget the name currently.
Given that memory safety is the new thing is there any point of really grinding that out now? It's going through like buffer overflows, exploiting the stack or function address table... Etc. seems like that will be outdated?
Ah *Telemetry* i always knew this is a PLANNED backdoor into every software, i disabled mine in Windows
I did the same thing by switching to Arch Linux
I don't think you can fully disable telemetry in Windows
@@adamk.7177 Can't afford that move right now
@@adamk.7177btw
@@zokalyx yes, windows still collect info, mostly about errors
"...firewalls are just code, just software on the firewall written by humans..." Well, probably, and hopefully for a long time going forward.
People acting like day zeroes don't exist in multiples right now(as they always have) . They just haven't been found yet by the "good guys."
I don't see corporate network admins looking over this and saying, "oh, we'll leave this enabled" while configuring their stuff, so I hope that lessens the impact
I was not expecting this to be about palo alto. Dam.
There . . i was waiting for this.. but then.. i got no Palo-Alto FW ..
does this bleed through into other FW applications
is any rust course coming soon to the academy ?
Even though I don't have any issues with Palo Alto, and they have a super valid usage of telemetry, just being able to say the sentence "There's a command injection in their telemetry" gives me catharsis.
I don’t understand if this is for all firewalls or just this pan-os and if this is for Linux in general?
Is it possible to show the vulnerability in the sourcd code? I feel like without explaining how it got introduced and what should be done instead... I am not learning anything for me.
How ro know if my firewall data has sent to attacker or not? I see some output for grep command.😮
will we ever be able to write code without vulnerabilities?
I feel like its a matter of time before something fundamental gets exploited and harms everything.
Nope. It's impossible to avoid vulnerabilities and bugs at some point no matter how perfect code you write. We are humans after all.
It's hard to identify whether one has vulnerability against something.
@@ishanjaiswal9041 forget nuclear war. i wonder if the internets vulnerabilities themselves are a ticking timebomb, waiting for someone clever and malicious enough to deal catastrophic damage
The XZ situation really is having some ripples, huh? Another vulnerability found in such a short time.
So... I think there is a common theme here where a category of security issues arise from not tracking the source of data, and requiring data from untrusted sources to be sanitised before it can be passed on to a potentially scary sink. Rust's ownership model provides one possible tool for this. I think Perl used to have a system for tracking tainted data. There are solutions to this problem that can be enforced mechanically. But the lowest level APIs tend not to do this, and of course, those are the ones most people will hit.
Can it RCE with root because the firewall is running as root?
Business as usual 😊
Ahh yes.. a "bug" in the telemetry service, of course
Why didn't they wait until a patch was available to release the info about the vulnerability? With a lot of software things are like here is a vulnerability and here is the patch. With open source projects you can later see emails about the vulnerability dated way before the disclosure date.
Because there are workarounds. Disable telemetry, enable the specific threat ID in the Vulnerability profile, etc
Part of me makes me wonder, is this actually a bug, or did someone just find their backdoor which is part of their telemetry?
Most of the network devices use old kernels and old software stack, so it is buggy.
Welp this one is huge. I wonder how long it has been exploited for.
Palos also use Redis and MongoDB
I want to know what an 11/10 vulnerability looks like
The same, but in something safety-critical. For instance in Industry.
One that makes a poweplant go poof
It would be a vulnerability, which is unable to be patched just by code alone.
@@Sypakasoftware, firmware, microcode, and chip. A chip level defect is the worst, especially if it is a kind that cannot be mitigated by microcode or other patch.
If a firewall inspects packets, then is it theoretically possible that a firewall gets exploited because they parsed/inspected a certain malicious packet?
I mean in principle 🤔
Never heard of Palo Alto firewalls, I used only ipfw, ipf, pf and iptables.
that can only be fixed by not even being turing complete to begin with, aka, don't ever have command as input.
Perhaps the garbage telemetry was the way in.
The reason RUST's bug doesn't really feel like a 10/10 bug is because the prolem is not an issue that even should be fixed by the language you use.
i feel like finding out about all of these these volnitabilitues all the time is going to give me some sort of depression at some point
P. S. I mean, when you learn that one thing became not safe, another one did and you need to update it in the future, and so on. Like, nothing feels secure
There's so many bots/spammers ._.
Rust would probably not have solved this, but it could if the vulnerability comes from usage of something as dumb as PHP system(), or something else which sends commands to the shell instead of directly to input arguments of a program.
damn, we are getting new bugs on a daily basis,
a bug a day keeps the your personal data on fire.
they're FINDING them on a daily basis, you always had them though, they just went unnoticed longer
And I thought there was a netfilter issue or pf even.
Honestly, same. I was about to go see if my distro had a patch/update, when im like lets just watch the first few minutes and check, so glad it's not netfilter/iptables.
@@fenix849 Haven't switched to nft yet? It's really good! I just hate that you can't remove iptables on every distro yet. One of the reasons why I switched to OpenBSD. Though their pf is shit. Don't let them fool you. It's completely backwards.
Anyway, about nftables. If you switch, unlike pf, where you have to pretend it's iptables, in nft you have to think in ipv4 and ipv6, not in tables. Make one table for each and that's it, otherwise you can't use your sets in nat and filter at the same time.
When a collab with John Hammond?
They deserve this for inventing prisma cloud
"Oh whoops how careless we left a 'debugging feature' enabled which allowed remote code execution" said yet another network appliance/firewall/switch manufacturer
was this a bug..... or a feature? :)
I like telemetry... Sooo much winning 😂
I had a thought during the week. That is you cannot just go and buy security. Companies sell the feeling of security but it's best effort and no guarantees that what you are buying isn't riddled with security vulnerabilities. I like the way QubesOS describes themselves as a reasonably secure OS. We can always do better and will never be secure. It's all about making attackers jobs harder.
Quick boys! New vulnerability just dropped!
So, they had a backdoor that they put their on purpose and someone other than them found it. That is the only conclusion i can get from this coming from telemetry
Is the vulnerability in firewalld ? That's what I use.
*another* Palo Alto vulnerability? Deja vu...
Imagine running remote applications on a firewall...
It is like they want to get hacked..
Like really?
Firewall should have NO services,
NO local connections out to the network(s) at all besides the needed for getting network conffig from ISP.
Pref not even that.
A static config is pref to avoid MitM exploits.
It should only bee filtering the network traffic and nothing else..
inb4 it was Rust all along
iptables baby
Can you please do a video on golang?
What Rust doesn't fix is dangerous
Little added info from him, just reading what is there - not really enjoying this but maybe there is a future video that explains more indepth things.
Once again, a telemetry is the root cause of all evil.
The only firewall I trust is iptables. Though the rules are not that easy to write, it takes only a few pieces of data from incoming packets. Parsing application layer stuff should be done by the program dealing with the traffic AND without root permissions. Complex listeners with way too much useless automation have been proven dangerous countless times.
something might just peddle through - with or without iptables..
Next: CVE in iptables by a backdoor using some wierd ass obscure lib
The problem is that firewalls on a host are not that easy to configure on a large scale, also doesn't support rules based on DNS, no real threat intelligence.
Use two different firewalls so If it passes one there is another!
I want to learn rust but I have no idea about memory management and rust has high learnig carve but I know python.
I'm really searching for this. ❤❤
Great work bro 👏
It was fine. As long as excel.exe don't get out.
Good old telemetry to bite you in the backside.
Indeed, software is software, software is buggy and therefore, software will have a vulnerability somewhere, so even Palo Alto isnt invulnerable (sorry) to issues like these
Not again...
500k!
Palo alto, cisco, fortinet all get exploited all the time. Nothing new imo
0day in a .... telemetry....
Rust is just cpp if the compiler was a total Karen
So the Indian Tech Support Scammers were right, I DID need a new firewall.
Frankly I'm not surprised, screw Palo Alto. PA is so outdated and behind the current technologies and quality of life for their Network Security Engineers.
Cisco and Checkpoint all the way!
Rust, exploited rust?
"But, can your firewall get hacked?" Let's see...is your firewall a piece of software written using libraries that may or may not have vulnerabilities that can be exploited by hackers? If the answer is "Yes" then yes, your firewall can get hacked. Essentially, any piece of code that allows for - by whatever means - the reading and processing of data, is a target for hackers.
vulnerability in device telemetry. lol
AGAIN?
Yay
Always say no to telemetry
It's a skill issue on the part of the developers, as well as overreach from the company. Telemetry is nearly always a bad thing that shouldn't be incorporated into any products, but there are tools that can check vulnerabilities in software which should have been used but clearly were not. And processing commands taken from external input should require far more scrutiny than it usually does, these moroffs just haven't gotten the message yet. They're not the only ones either, they're just the most recent to be discovered. It'll happen again and again and it won't matter what language they're using, Rust or otherwise, it's an overall skill issue. If anyone does read this they'll think that I'm saying the particular error here could have been checked by existing tools even though that's not what I'm saying, and they won't read this last sentence to see a clarification.
Lol, what's happening with security
What is happening lately. WTF
I don't give a fuck how popular they are why tthe fuck is telemetry on by default?! This isn't fucking Windows, this is my god damn firewall, I haven't even gotten to the point where I need a standalone firewall, but if they're phoning home by default they can kiss me as a customer goodbye
PAN employe watching 👀 this video 😂😂😂😂