The expose of a essential vulnerability, rated as 9.eight out of ten, affecting Palo Alto Networks firewall appliances with the GlobalProtect Portal VPN enabled, is building controversy in the safety business as it seems just one vendor employed it for near to a yr for “Crimson Group” penetration testing right before disclosing it to the vendor.
Stability vendor Randori formulated a doing work exploit for the CVE-2021-3064 flaw that affects various versions of PAN-OS that runs the firewalls in issue, leaving in excess of ten,000 of the web-struggling with equipment uncovered to exploitation by attackers.
Randori states it began studying the GlobalProtect Portal VPN in Oct final yr, and found a buffer overflow bug and a method of bypassing validations by an external world-wide-web server called HTTP smuggling.
In December 2020, Randori states it commenced “authorised use of the vulnerability chain” as component of its automatic Crimson Group attack system.
It wasn’t until eventually September and Oct this yr, on the other hand, that Randori disclosed the buffer overflow and HTTP smuggling bugs to Palo Alto Networks, which assigned a Common Vulnerabilities and Exposures identifier to the flaws.
Palo Alto Networks issued patches the following thirty day period, but Randori has still to make clear why it took some nine months to report the vulnerabilities to the vendor.
The infosec group was to begin with appalled at the prolonged period of time of time right before Randori disclosed the vulnerability to Palo Alto Networks, questioning the ethics of executing so whilst using the flaw as component of its Crimson Group consultancy.
I cannot halt contemplating about this, @RandoriAttack can you assist me fully grasp the logic guiding acquiring a vuln, sitting on it AND exploiting your pink crew prospects with it for pretty much a yr right before disclosing it to the vendor? I think I am missing a viewpoint right here and I am curious. https://t.co/ifz3nnoqI5
— jayjacobs (@jayjacobs) November ten, 2021
It now seems that Palo Alto Networks fixed the bug quietly in September final yr but irrespective of whether or not that was intentional is not obvious.
Palo Alto Networks has not still defined why it assigned a CVE only this yr to the bug, and issued official patches for it.