why are more people not talking about this?
Ғылым және технология
A critical 10/10 vulnerability has been found in Palo Alto's firewalls, but how important is it really? Check it out in this video.
security.paloaltonetworks.com...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord
Пікірлер: 265
is it just the me or have there been an insane amount of vulnerabilities in the last couple weeks/months? ps: love the idea of a what-if-they-used-rust-o-meter lmao
@Draggeta
Ай бұрын
It's not necessarily more, but the impact of the vulnerabilities seems to be higher...
@corndoge3992
Ай бұрын
I believe this is because we have more cybersecurity specialists than ever before, and there are many more devices and features that involve an internet connection
@31redorange08
Ай бұрын
It's just you. Stop projecting.
@Swineflu-jm7wx
Ай бұрын
It's not just you
@powerdust015lastname4
Ай бұрын
@@31redorange08 not trying to project. i have been more interested in this topic lately, so idk if this was simply content algorithms (over)doing their job
I changed my wifi network names to my credit card and banking details, preventing the need for being hacked to enter my network entirely! #science
@someone9273
Ай бұрын
🧠🧠 Ohio level IQ moment
@512kw
Ай бұрын
brilliance
@MyAmazingUsername
Ай бұрын
I think your sentence is reversed. It sounds like you meant to say "to prevent the need to enter my network to steal my card" ;)
@NachitenRemix
Ай бұрын
@@MyAmazingUsername I didnt understand anything of that comment, can you please explain what he meant to say?
@MyAmazingUsername
Ай бұрын
@@NachitenRemix Putting his credit card number as wifi name to save the hacker's time. 💀
wonder why so many exploit and bugs have been found in such short time, perhaps the linux exploit raised the auditing level to overdrive?
@awesomecronk7183
Ай бұрын
Not a bad thing imo, better than them being found by bad actors first
@ianvecmanis5642
Ай бұрын
AI tools are finding them.
@unicod3r
Ай бұрын
@@ianvecmanis5642 lol not today, not today
@VitisCZ
Ай бұрын
@@ianvecmanis5642 from what i've seen the AI tools currently most of the time just point to pointless stuff and lead to clutter in bugtracker
@jakeoshay
Ай бұрын
@@ianvecmanis5642 Ain't no way.
A firewall with telemetry??? This sounds like an April fools' vulnerability but I'm afraid it's not. And they have the nerve to tell customers to switch telemetry back on once this fiasco has been fixed. Incredible.
@caseyriley1014
Ай бұрын
The funniest part of the whole video
@asiliria
Ай бұрын
That’s why we make our own!
@spookycode
Ай бұрын
Asking the users to turn telemetry back on is the icing on the cake. Why would a company want to keep a feature enabled that 1. Isn’t useful to them, 2. Had previous vulnerabilities? It seems pretty dumb.
@stefanth8596
Ай бұрын
Telemetry is replacing snmp? Which have been around in network proucts forever
@henryptung
Ай бұрын
Telemetry...with root privilege
This issue somehow related to a "telemetry" feature looks like a disguised backdoor to me, don't know why
@poisonouspotato1
Ай бұрын
like the robot bees in Black Mirror
device telemetry... ... do I have to be that guy?
@yeetyeet7070
Ай бұрын
thats where the NSA and Mossad get in through the backdoor
@snorman1911
Ай бұрын
@@yeetyeet7070 based noticer
@Kapparillo
Ай бұрын
telemetry is an opt-in feature for Palo Alto firewalls. But yeah, I share your concerns.
Damn, NSA is taking a lot of losses recently.
@goeiecool9999
Ай бұрын
I'm afraid they're probably discovering new exploits faster than their existing ones are getting fixed.
@christ.4977
Ай бұрын
All kinds of backdoors being discovered.
i saw about this exploit and was like why is there no coverage on it, but then i realised that it was literally out of the over so fresh that not many people had covered. glad you dropped this video
I'm pretty sure in this case it's telemetry for the local admins. Having your firewall phone home (and open extra ports because of it) sounds like the dumbest idea ever.
@itsamemarkus
Ай бұрын
it's for a feature called AiOps to do best practice assessments and collect system utilization of many firewalls on a cloud based platform
This is turning out to be the year of vulnerabilities
@Felix-ve9hs
Ай бұрын
Just wait for next year, you haven`t seen anything yet ^^
@meritamity
Ай бұрын
I say that every year
I'm relatively new to this channel but absolutely love the balance of detail and brevity. It may just be a perfect mix for my knowledge level but it's incredibly valuable. 🎉 Thank you!
All the firewall vulnerabilities I've seen have been for attacks on the management plane/OS of the firewall. I have not heard of an attack that is able to circumvent the firewall directly. I'd love to know if anyone else has heard of one.
@shanent5793
Ай бұрын
No because direct circumvention is an oxymoron
@arthurmoore9488
Ай бұрын
Putting this everywhere since the video is a few days old. GlobalProtect is a, really annoying, VPN. Meaning the firewall itself is a server with a port open to the internet.
I really love the would-rust-have-fixed-this-meter. That sounds like a great idea!
This video made me remember to turn on and configure my firewall. I turned off my firewall half a year ago because of kde connect and forgot about it.
Been here for a while and really enjoying your videos, keep it up :)
Can't get firewall hacked if you don't use a firewall. * _taps head_ *
Reminds me of the 2019 cve for netscaler and how every body thought they didnt need additional firewalls.
So we have a closed source OS with telemetry, that has a root code execution vulnerability in a device whose role it is to literally monitor the entire network traffic 24/7. Coolio
@arthurmoore9488
Ай бұрын
You forgot, GlobalProtect is the VPN built into the firewall, so that's an external port open to the world. Oh, and the firewall is designed to and often used to MITM secure traffic on corporate networks...
@astronemir
Ай бұрын
This one is used by like every big manufacturing and tech company. I wonder who has been sipping the secrets away.
This CVE took my entire morning!
What would have helped is data tagging to spot a lack of sanitization. Tools like Coverity would have flagged this. Of course, another thing that would have helped is a focus on simplicity. Every feature added is a potential attack surface. Security products that we pay a lot for are sort of oxymorons, Palo Alto Networks is no exception. For the companies to survive, they must constantly add a steady drip of features that their largest customers ask of them, sometimes even just one large customer. And this is a steady drip of increasing attack surface. The best development pattern for something like a firewall core is a fixed mission with low feature creep from a reputable, steadily funded team. Something like OpenBSD.
@arthurmoore9488
Ай бұрын
Agreed on the "one thing" part. GlobalProtect is a VPN feature. At the least, it should be containerized compared to the rest of the firewall.
Very good concise explanation good for young folks starting out!
It is worth pointing out although they say Firewall, the issue appears to be when the VPN Endpoint and Telemetry are enabled. Because they have signatures for it, that hints at the firewall aspect is not the issue, but probably based around the authentication of remote users. As I am a long tooth to me a firewall is a firewall and should not be having other modules shoehorned in, as Citrix NetScalers seem to have exponentially more advisories when they are acting as a VPN endpoint
@arthurmoore9488
Ай бұрын
A painful VPN at that. The worst part is I'm pretty sure, for some companies, the second choice from GlobalProtect is to use the NetScaler boxes...
Ah *Telemetry* i always knew this is a PLANNED backdoor into every software, i disabled mine in Windows
@adamk.7177
Ай бұрын
I did the same thing by switching to Arch Linux
@zokalyx
Ай бұрын
I don't think you can fully disable telemetry in Windows
@da_cat
Ай бұрын
@@adamk.7177 Can't afford that move right now
@Iceman259
Ай бұрын
@@adamk.7177btw
@lPlanetarizado
Ай бұрын
@@zokalyx yes, windows still collect info, mostly about errors
I have a PanOS in my home network, will need to check the version when I get home
People acting like day zeroes don't exist in multiples right now(as they always have) . They just haven't been found yet by the "good guys."
Love these videos!
"...firewalls are just code, just software on the firewall written by humans..." Well, probably, and hopefully for a long time going forward.
I don't see corporate network admins looking over this and saying, "oh, we'll leave this enabled" while configuring their stuff, so I hope that lessens the impact
Even though I don't have any issues with Palo Alto, and they have a super valid usage of telemetry, just being able to say the sentence "There's a command injection in their telemetry" gives me catharsis.
In a video awhile ago you recommended a website that taught about mostly Linux C-style memory exploits. I forget the name currently. Given that memory safety is the new thing is there any point of really grinding that out now? It's going through like buffer overflows, exploiting the stack or function address table... Etc. seems like that will be outdated?
I was not expecting this to be about palo alto. Dam.
is any rust course coming soon to the academy ?
The XZ situation really is having some ripples, huh? Another vulnerability found in such a short time.
So... I think there is a common theme here where a category of security issues arise from not tracking the source of data, and requiring data from untrusted sources to be sanitised before it can be passed on to a potentially scary sink. Rust's ownership model provides one possible tool for this. I think Perl used to have a system for tracking tainted data. There are solutions to this problem that can be enforced mechanically. But the lowest level APIs tend not to do this, and of course, those are the ones most people will hit.
I don’t understand if this is for all firewalls or just this pan-os and if this is for Linux in general?
Can it RCE with root because the firewall is running as root?
will we ever be able to write code without vulnerabilities? I feel like its a matter of time before something fundamental gets exploited and harms everything.
@ishanjaiswal9041
Ай бұрын
Nope. It's impossible to avoid vulnerabilities and bugs at some point no matter how perfect code you write. We are humans after all. It's hard to identify whether one has vulnerability against something.
@ovencake523
Ай бұрын
@@ishanjaiswal9041 forget nuclear war. i wonder if the internets vulnerabilities themselves are a ticking timebomb, waiting for someone clever and malicious enough to deal catastrophic damage
How ro know if my firewall data has sent to attacker or not? I see some output for grep command.😮
Ahh yes.. a "bug" in the telemetry service, of course
There . . i was waiting for this.. but then.. i got no Palo-Alto FW .. does this bleed through into other FW applications
I want to know what an 11/10 vulnerability looks like
@user-xe8oi5oq6c
Ай бұрын
The same, but in something safety-critical. For instance in Industry.
@worldwarwitt2760
Ай бұрын
One that makes a poweplant go poof
@Sypaka
Ай бұрын
It would be a vulnerability, which is unable to be patched just by code alone.
@worldwarwitt2760
Ай бұрын
@@Sypakasoftware, firmware, microcode, and chip. A chip level defect is the worst, especially if it is a kind that cannot be mitigated by microcode or other patch.
Is it possible to show the vulnerability in the sourcd code? I feel like without explaining how it got introduced and what should be done instead... I am not learning anything for me.
Most of the network devices use old kernels and old software stack, so it is buggy.
Business as usual 😊
Part of me makes me wonder, is this actually a bug, or did someone just find their backdoor which is part of their telemetry?
Never heard of Palo Alto firewalls, I used only ipfw, ipf, pf and iptables.
Why didn't they wait until a patch was available to release the info about the vulnerability? With a lot of software things are like here is a vulnerability and here is the patch. With open source projects you can later see emails about the vulnerability dated way before the disclosure date.
@jnlhisey1113
Ай бұрын
Because there are workarounds. Disable telemetry, enable the specific threat ID in the Vulnerability profile, etc
Palos also use Redis and MongoDB
Welp this one is huge. I wonder how long it has been exploited for.
that can only be fixed by not even being turing complete to begin with, aka, don't ever have command as input.
The reason RUST's bug doesn't really feel like a 10/10 bug is because the prolem is not an issue that even should be fixed by the language you use.
If a firewall inspects packets, then is it theoretically possible that a firewall gets exploited because they parsed/inspected a certain malicious packet? I mean in principle 🤔
I had a thought during the week. That is you cannot just go and buy security. Companies sell the feeling of security but it's best effort and no guarantees that what you are buying isn't riddled with security vulnerabilities. I like the way QubesOS describes themselves as a reasonably secure OS. We can always do better and will never be secure. It's all about making attackers jobs harder.
Perhaps the garbage telemetry was the way in.
was this a bug..... or a feature? :)
And I thought there was a netfilter issue or pf even.
@fenix849
Ай бұрын
Honestly, same. I was about to go see if my distro had a patch/update, when im like lets just watch the first few minutes and check, so glad it's not netfilter/iptables.
@callisoncaffrey
Ай бұрын
@@fenix849 Haven't switched to nft yet? It's really good! I just hate that you can't remove iptables on every distro yet. One of the reasons why I switched to OpenBSD. Though their pf is shit. Don't let them fool you. It's completely backwards. Anyway, about nftables. If you switch, unlike pf, where you have to pretend it's iptables, in nft you have to think in ipv4 and ipv6, not in tables. Make one table for each and that's it, otherwise you can't use your sets in nat and filter at the same time.
They deserve this for inventing prisma cloud
Rust would probably not have solved this, but it could if the vulnerability comes from usage of something as dumb as PHP system(), or something else which sends commands to the shell instead of directly to input arguments of a program.
damn, we are getting new bugs on a daily basis, a bug a day keeps the your personal data on fire.
@liquidsnake6879
Ай бұрын
they're FINDING them on a daily basis, you always had them though, they just went unnoticed longer
i feel like finding out about all of these these volnitabilitues all the time is going to give me some sort of depression at some point P. S. I mean, when you learn that one thing became not safe, another one did and you need to update it in the future, and so on. Like, nothing feels secure
So, they had a backdoor that they put their on purpose and someone other than them found it. That is the only conclusion i can get from this coming from telemetry
"Oh whoops how careless we left a 'debugging feature' enabled which allowed remote code execution" said yet another network appliance/firewall/switch manufacturer
Is the vulnerability in firewalld ? That's what I use.
When a collab with John Hammond?
There's so many bots/spammers ._.
The only firewall I trust is iptables. Though the rules are not that easy to write, it takes only a few pieces of data from incoming packets. Parsing application layer stuff should be done by the program dealing with the traffic AND without root permissions. Complex listeners with way too much useless automation have been proven dangerous countless times.
@herauthon
Ай бұрын
something might just peddle through - with or without iptables..
@Sypaka
Ай бұрын
Next: CVE in iptables by a backdoor using some wierd ass obscure lib
@ES-cf4ph
Ай бұрын
The problem is that firewalls on a host are not that easy to configure on a large scale, also doesn't support rules based on DNS, no real threat intelligence.
Quick boys! New vulnerability just dropped!
Little added info from him, just reading what is there - not really enjoying this but maybe there is a future video that explains more indepth things.
I like telemetry... Sooo much winning 😂
Imagine running remote applications on a firewall... It is like they want to get hacked.. Like really? Firewall should have NO services, NO local connections out to the network(s) at all besides the needed for getting network conffig from ISP. Pref not even that. A static config is pref to avoid MitM exploits. It should only bee filtering the network traffic and nothing else..
Can you please do a video on golang?
iptables baby
*another* Palo Alto vulnerability? Deja vu...
I want to learn rust but I have no idea about memory management and rust has high learnig carve but I know python.
inb4 it was Rust all along
Once again, a telemetry is the root cause of all evil.
I'm really searching for this. ❤❤ Great work bro 👏
Use two different firewalls so If it passes one there is another!
What Rust doesn't fix is dangerous
Indeed, software is software, software is buggy and therefore, software will have a vulnerability somewhere, so even Palo Alto isnt invulnerable (sorry) to issues like these
It was fine. As long as excel.exe don't get out.
So the Indian Tech Support Scammers were right, I DID need a new firewall.
500k!
Good old telemetry to bite you in the backside.
Palo alto, cisco, fortinet all get exploited all the time. Nothing new imo
Cases like this confirms my opinion that open source firewalls are way better for business
You only need a very few rules of thumb to prevent this kind of vulnerability. (1) Don't run code as root if it isn't totally necessary. (2) Don't read in arbitrary amounts of data. (3) Check incoming data for plausibility. (4) Check incoming data for escape sequences and delimiters and delete or ignore such data. (5) Don't stuff incoming data into a system command that you run. (6) Use all the length-limited string functions, the ones with a "n" in them, with the right n limit. (7) Check each and every use of an array to ensure no index gets out of bounds. (8) Check each pointer to ensure it's not null or some wild value.
@fenix849
Ай бұрын
Unplugging the server and ups from the wall also provides perfect security except for cases of physical access. I do agree with most of what you say to be fair.
POTUS sponsored rust-o-meter lol
Hey man you should get some more light on your face and lower the ISO, it'll look better!
I've seen some people diss telemetry, but in some cases it can be a really great tool. Telemetry doesn't always mean someone selling your data to ad companies. In this case, off the top of my head, that telemetry can be used to identify ongoing attempts to bypass security. Then because of telemetry, they can see it happen across the entire US and send out an advisory. Or it can be used to identify behaviour in the past that may have been indicative of a hack in situations where a 0 day with a specific signature is discovered.
@herauthon
Ай бұрын
it might have a different name ? sharing IDS logs ?
@psiah9889
Ай бұрын
Mmm... It makes me wonder, because telemetry in the windows sense would not provide an open port on the unsafe side of the firewall... It'd just connect directly to Palo Alto's servers and not provide an angle for arbitrary remote bad actors to get in. So this means it is either meant for the net admins to access data on their firewall remotely (which if you have any real security needs you should disable that and make it accessible LAN-side or VPN-side only), or... It's a backdoor for Palo Alto to use to get in, which might have a legitimate business use (helping unskilled admins configure their firewall), but it's also something any good admin who has half a clue what they're doing should turn off, specifically because of how much it increases your attack surface. Either of these are pretty similar to just allowing remote logins on a direct connection. Now, it's been a while since I used Palo Alto, so I don't remember if their firewalls had such features off the top of my head, but I know for sure the secure environment I was working in would have them disabled. But not every business *needs* a rigid security posture... And a lot will readily compromise security for ease of use, like... Paying Palo Alto themselves to configure a fire wall instead of paying an ongoing employee with enough skill to do more than the most basic daily admin tasks themselves. I've actually worked at a place that was *frustrated* by me having a similar skill level to the people on the expensive remote management contract they were paying for, and I got dressed down for fixing things myself instead of calling them and twiddling my thumbs while on hold.
@McNyloLT
Ай бұрын
@@psiah9889It’s becoming increasingly more prevalent to see people not being allowed to work on the things that they have for their own organization. We go through the same thing here and it’s so frustrating knowing we can fix it, yet we’re on a multiple day wait for the company to get back with us to fix something
@enderagent
Ай бұрын
It should not be enabled on a firewall. A firewall is a device where security is very important, so minimizing the attack surface of the software running on it is important. Telemetry is a part of the application that is interacts with the network, which increases the attack surface and potential for vulnerabilities. Telemetry is not the same thing as logging and isn't necessary.
"But, can your firewall get hacked?" Let's see...is your firewall a piece of software written using libraries that may or may not have vulnerabilities that can be exploited by hackers? If the answer is "Yes" then yes, your firewall can get hacked. Essentially, any piece of code that allows for - by whatever means - the reading and processing of data, is a target for hackers.
Rust, exploited rust?
Rust is just cpp if the compiler was a total Karen
Frankly I'm not surprised, screw Palo Alto. PA is so outdated and behind the current technologies and quality of life for their Network Security Engineers. Cisco and Checkpoint all the way!
One thing to be aware of this is also likely affecting the Prisma access SASE devides hosted by Palo Alto as they are just VM series NGFW under the hood.
I don't give a fuck how popular they are why tthe fuck is telemetry on by default?! This isn't fucking Windows, this is my god damn firewall, I haven't even gotten to the point where I need a standalone firewall, but if they're phoning home by default they can kiss me as a customer goodbye
It's a skill issue on the part of the developers, as well as overreach from the company. Telemetry is nearly always a bad thing that shouldn't be incorporated into any products, but there are tools that can check vulnerabilities in software which should have been used but clearly were not. And processing commands taken from external input should require far more scrutiny than it usually does, these moroffs just haven't gotten the message yet. They're not the only ones either, they're just the most recent to be discovered. It'll happen again and again and it won't matter what language they're using, Rust or otherwise, it's an overall skill issue. If anyone does read this they'll think that I'm saying the particular error here could have been checked by existing tools even though that's not what I'm saying, and they won't read this last sentence to see a clarification.
Soooo. What are the other firewalls affected? Is that not what is alluded to with the title of the video? Other than the paloalto os', I didn't see any others listed...
0day in a .... telemetry....
But your name isn't low-level learning 😂