6、谷歌研究员发现PAN-OS任意代码执行漏洞
标题:Palo Alto Networks Patches Flaws Found by Google Researcher
作者信息:November 21, 2016 By Eduard Kovacs
//BEGIN
Project Zero researcher Tavis Ormandy has identified several vulnerabilities in Palo Alto Networks’ PAN-OS operating system. An attacker can combine the flaws to execute arbitrary code with root privileges.
Ormandy reported a total of three security holes to Palo Alto Networks in August. The most serious of them, rated critical and tracked as CVE-2016-9150, is related to how the PAN-OS web management server handles a buffer overflow. An attacker with network access to the management interface can leverage this weakness to execute arbitrary code or cause a denial-of-service (DoS) condition.
谷歌的Zero零号工程Project Zero又发布号外了!
他们在网络安全公司平底锅Palo Alto的操作系统(命名为PAN-OS)中发现严重安全漏洞,利用该漏洞可以导致黑客以Root根权限执行任意代码。
今年八月份一共发现了三个安全漏洞,其中最严重的一个是漏洞的编号为CVE-2016-9150。原因在于PAN-OS的WEB管理服务器处理缓冲区溢出漏洞不当导致,一旦被利用可能会执行任意代码同时还可能发起DOS攻击。
//END
The vulnerabilities affect PAN-OS 5.0.19 and earlier, PAN-OS 5.1.12 and earlier, PAN-OS 6.0.14 and earlier, PAN-OS 6.1.14 and earlier, PAN-OS 7.0.10 and earlier, and PAN-OS 7.1.5 and earlier. The issues were addressed last week with the release of PAN-OS versions 5.0.20, 5.1.13, 6.0.15, 6.1.15, 7.0.11 and 7.1.6.
The updates also resolve a post-authentication vulnerability that can allow XPath manipulation, and an OpenSSH flaw. Both of these issues have been rated “low severity.”
Ormandy has discovered serious vulnerabilities in products from several security solutions providers, including Symantec, FireEye, Trend Micro, Comodo, Kaspersky Lab, AVG and Avast.
目前漏洞已经被修补,为了修补该漏洞需要升级到PAN-OS的版本分布是:5.0.20, 5.1.13, 6.0.15, 6.1.15, 7.0.11 和7.1.6以上的系统。
点评:安全公司也不再是个简单开发一个杀毒程序了事,基本形成了独立生态体系:甚至还有OS! |