Information about TCP SACK Panic Findings in PAN-OS (PAN-SA-2019-0013)

Last revised: 06/28/2019

Summary

Palo Alto Networks is aware of recent vulnerability disclosures known as TCP SACK Panic vulnerabilities. (Ref: PAN-119745/ CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Severity: High

Successful exploitation of these issues could allow an unprivileged remote user to trigger a kernel panic in systems running the affected software, resulting in a denial of service. While these issues primary affect the PAN-OS Management Plane (MP), it is possible for MP services to be exposed via Data Plane (DP) interfaces as a result of Service Route or and Interface Management Profile configurations. Examples include Management Profiles permitting HTTP/HTTPS access to the WebGUI, SSH, or response pages. In these cases, it is possible that malicious traffic could arrive at the MP kernel through the DP interface. Devices with unrestricted connectivity to the MP, such as internal hosts, may be able to leverage this issue to impact device performance. Palo Alto Networks is not affected by CVE-2019-5599.

Products Affected

PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2-h3 and earlier. GlobalProtect Gateway and GlobalProtect portal are NOT affected by these issues.

Available Updates

PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later

Workarounds and Mitigations

These issues affect the management interface of PAN-OS and are strongly mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 9.0 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html.

Acknowledgements

N/A