Information Disclosure in WildFire Appliance (WF-500) (PAN-SA-2019-0016)

Last revised: 07/08/2019

Summary

Palo Alto Networks has determined that the WildFire Appliance (WF-500) is affected by the vulnerability disclosure known as LazyFP and has completed an update to address these issues. The WildFire Appliance (WF-500) software update is now available to customers that use the WildFire Appliance (WF-500) for on-premise sandboxing. Please note that customers using the WildFire cloud service are NOT impacted by this advisory. (PAN-99016/CVE-2018-3665)

Severity: Medium

Successful exploitation of this issue may allow reads from a compromised sandbox VM (guest OS) to retrieve data from other VMs (another guest OS) or the PAN-OS operating system (host OS) as a result of breaching the separation between kernel and user address space. The analysis method utilized by the WildFire Appliance (WF-500) and WildFire Cloud helps to mitigate the impact of this issue. Each virtualized file analysis session is unique and each session is terminated and destroyed after analysis is complete. The uniqueness of each file analysis session coupled with the limited amount of time allowed to execute an attack within the environment limits the scope of impact that the attacker can have on the sandbox VM (guest OS) and the PAN-OS operating system (host OS).

Products Affected

WildFire Appliance (WF-500) running appliance software all versions of 7.1, versions 8.0.17 and earlier, and versions of 8.1.8 and earlier.

Available Updates

WildFire Appliance (WF-500) software version 8.0.18 and later and 8.1.9 and later. Please note: WildFire Appliance (WF-500) software versions 9.0 and later are not impacted by this advisory. The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack. For WildFire Appliance (WF-500) software versions 7.1 and earlier, please consult the Administrator’s Guide for steps to upgrade (https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/set-up-and-manage-a-wildfire-appliance/upgrade-a-wildfire-appliance#idbce6a8ca-f900-4a49-b28b-de089139ce93).

Workarounds and Mitigations

Customers not using the WildFire Appliance (WF-500) are not impacted by this advisory. Customers using the WildFire cloud are not impacted by this advisory.

Acknowledgements

N/A