An in-depth evaluation of three firewall models from Palo Alto Networks has exposed significant vulnerabilities, ranging from Secure Boot bypass flaws to firmware exploitation risks. The research, conducted by security vendor Eclypsium, highlights weaknesses in both the firmware and configuration of these firewalls, presenting serious implications for organizations relying on them for network protection.
Overview of the Findings
Eclypsium’s investigation revealed several critical vulnerabilities that are surprisingly well-known in the cybersecurity community. These are not obscure or rare issues but rather widely recognized flaws that are typically addressed even in consumer-grade devices.
“These weren’t obscure, corner-case vulnerabilities,” Eclypsium stated in a report shared with The Hacker News. “These issues could allow attackers to evade even the most basic integrity protections, such as Secure Boot, and modify device firmware if exploited.”
The evaluation covered three firewall models: PA-3260, PA-1410, and PA-415. While the PA-3260 reached its end-of-sale status on August 31, 2023, the PA-1410 and PA-415 remain fully supported firewall platforms. Despite their active status, these models were found to have exploitable flaws that raise concerns about their resilience against advanced threat actors.
The Vulnerabilities: PANdora’s Box
The vulnerabilities, collectively named PANdora’s Box, include the following:
CVE-2020-10713 (“BootHole”):
Affects: PA-3260, PA-1410, PA-415
Description: A buffer overflow vulnerability allowing Secure Boot bypass on Linux systems with the feature enabled.
System Management Mode (SMM) Vulnerabilities:
CVEs: CVE-2022-24030, CVE-2021-33627, CVE-2021-42060, CVE-2021-42554, CVE-2021-43323, CVE-2021-45970
Affects: PA-3260
Description: Flaws in Insyde Software’s InsydeH2O UEFI firmware that could lead to privilege escalation and Secure Boot bypass.
LogoFAIL:
Affects: PA-3260
Description: Exploits vulnerabilities in UEFI firmware’s image parsing libraries to bypass Secure Boot and execute malicious code during startup.
PixieFail:
Affects: PA-1410, PA-415
Description: Vulnerabilities in the TCP/IP network protocol stack within the UEFI reference implementation, leading to potential code execution and data disclosure.
Insecure Flash Access Control:
Affects: PA-415
Description: Misconfigured SPI flash access controls allowing attackers to directly modify UEFI and bypass security mechanisms.
CVE-2023-1017:
Affects: PA-415
Description: An out-of-bounds write vulnerability in the Trusted Platform Module (TPM) 2.0 reference library specification.
Intel BootGuard Leaked Keys Bypass:
Affects: PA-1410
Description: Exploitation of leaked cryptographic keys to bypass Intel BootGuard protections.
Implications of the Findings
These vulnerabilities underscore the inherent risks even in devices designed to safeguard networks. Eclypsium noted, “These findings underscore a critical truth: even devices designed to protect can become vectors for attack if not properly secured and maintained.”
Threat actors increasingly target security appliances to exploit their privileged network position. Consequently, organizations must rethink their approach to supply chain security, ensuring robust defense mechanisms are in place to mitigate these risks.
Recommended Mitigations and Enhancements
Eclypsium’s report emphasizes several actionable steps for organizations:
Rigorous Vendor Assessments:
Before deployment, ensure vendors adhere to stringent security standards and conduct independent audits of device firmware.
Regular Firmware Updates:
Keep firmware updated to address known vulnerabilities promptly. Automate the update process where possible to minimize delays.
Continuous Device Integrity Monitoring:
Implement monitoring tools to detect unauthorized changes to firmware or configurations.
Best Practice Configurations:
Follow vendor-recommended configurations, such as securing management interfaces, to reduce exposure.
Palo Alto Networks’ Response
Palo Alto Networks issued a statement addressing the report:
“The security of our customers is our top priority. Palo Alto Networks is aware of recently published research from Eclypsium regarding potential vulnerabilities affecting some of our Next-Generation Firewall products. Our Product Security Incident Response Team has evaluated these vulnerabilities and determined that the scenarios required for successful exploitation do not exist on up-to-date PAN-OS software under normal conditions with secured management interfaces deployed according to best practice guidelines.”
The company further noted that it is collaborating with third-party vendors to develop any necessary mitigations and will provide updates to affected customers.
Conclusion
The PANdora’s Box findings reveal the critical importance of proactive security measures for network devices. Organizations relying on Palo Alto Networks firewalls should immediately review their configurations, apply updates, and adopt robust monitoring practices to mitigate potential risks. As threat actors continue to evolve their techniques, staying ahead of vulnerabilities remains essential for safeguarding critical infrastructure.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Zero-Click Exploit in Google Messages Affecting Galaxy S23 and S24 Models