Last revised: 10/08/2018
Palo Alto Networks is aware of recent vulnerability disclosure, known as FragmentSmack, that affects Linux kernel 3.9 and later. At this time, our findings show that some Palo Alto Networks devices running specific versions of PAN-OS are vulnerable to this disclosure. (CVE-2018-5391). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities.
A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. To exploit this vulnerability a remote attacker could send specially crafted packets that trigger time and calculation expensive fragment reassembly algorithms and cause CPU saturation (a denial of service on the system). This only affects the Management Plane of PAN-OS.
PAN-OS 6.1.21 and earlier running on PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050. PAN-OS 7.1.19 and earlier running on PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 and PA-7080. PAN-OS 8.0.12 and earlier running on PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-7050 and PA-7080. PAN-OS 8.1.3 and earlier running on PA-200, PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-5280, PA-7050 and PA-7080.
PAN-OS 7.1.20 and later, and PAN-OS 8.0.13 and later. We will update this security advisory as soon as fixes are available for PAN-OS 6.1 and PAN-OS 8.1.
This issue affects the management interface of PAN-OS. Our best practices guidelines strongly mitigate exposure to this vulnerability and reduce the exposure of the management interface to other potential threats. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/best-practices-for-securing-administrative-access.