A cybersecurity company is defending its decision to withhold notifying Palo Alto Networks of two serious vulnerabilities in a VPN product for months.
The incident came to light last week when Randori, a Denver-based red-team-as-a-service provider, published a report on how it found two vulnerabilities in firewalls using older versions of Palo Alto Network’s GlobalProtect Portal VPN.
Chained together they leverage a memory corruption vulnerability that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. An attacker must have network access to the GlobalProtect interface to exploit this issue.
As is common, companies reveal some details of how they found bugs after the vendor has released a patch. In this case, Palo Alto released patches on Wednesday. The vulnerabilities are rated critical and the patch should be installed immediately on installations using PAN-OS 8.1.17 and lower. The current version of the operating system is 10.1.
However, tech reporters quickly noticed that according to Randori’s timeline, a buffer overflow vulnerability discovered Nov. 19, 2020 wasn’t disclosed to Palo Alto Networks until September 22nd of this year. An HTTP smuggling vulnerability discovered Nov. 20, 2020 wasn’t disclosed to the manufacturer until October 11th — 12 months later.
In between, Randori began what it called “authorized use” of the vulnerability chain as part of its platform used by customers. “When we say authorized, we mean our customers authorized us to use to 0day in the red team engagement,” a Randori spokesperson explained.
Asked by ITWorldCanada.com why there was a delay, Alicia diVittorio, Randori’s marketing and communications strategist, said in an email that, “when the capability is no longer of utility to our customers, our internal policy triggers a disclosure. In the interim, we actively balance the risks associated, and take these responsibilities very seriously.”
However, she did add that, “We intend to make our process more transparent in the future.”
“We weighed a lot of factors when determining disclosure to minimize industry harm. Factors include, but are not limited to, analysis of the software, patch status, versioning issues, existing remediation strategies, and more. For example, in this case— a minor release within a major version of software— we knew remedies already existed being recommended by the vendor. This factored into our decision. We were aware of the nuance in regards to the PAN update, and it (along with other metrics) factored into our weighing of the risks associated.
“The status of our customer engagements factors in as well,” she said. “There is a period of time we maintain a capability, for the benefit of delivering a real-world experience to strengthen our customers’ security programs. Our aim is to use one bug against many to build resilience of entire systems, not just one piece of software. We have an obligation to service all of our customers with our work, and of course, we’re tracking external factors simultaneously.”
For its part, Palo Alto Networks issued this statement to ITWorldCanada.com: “The security of our customers is our top priority. The security advisory [we] released addresses a vulnerability that only affects old versions of PAN-OS (8.1.16 and earlier). We took immediate steps to implement mitigations for firewalls running older versions. As outlined in the security advisory, we are not aware of any malicious attempts to exploit the vulnerability. We strongly encourage following best practices to keep systems updated and thank the researchers for alerting us and sharing their findings.”
Randori’s delay in reporting the flaws is especially disturbing because the vulnerabilities are critical: Palo Alto Network assigned them a CVSS score of 9.8. They could have been exploited for months before Palo Alto Networks became aware of them and issued the patch.