Cyber Security

Palo Alto Vulnerability - Patching and Software Updates

Branko Ninkovic
July 2, 2020

This week Palo Alto Networks disclosed a critical vulnerability that, according to the US government, could be exploited by foreign nation-state actors.

This disclosure comes right on the back of our own Prime Minister, Scott Morrison, press announcement, that our own nation's public and private sector organisations "are currently being targeted by a sophisticated state-basedcyber actor".

So what does this news all mean, for Australia, and Palo Alto Networks?

Let's look at Australia first. Every Australian organisation must practice good cybersecurity hygiene (full stop). Not an option, not up for debate.

Start with the ACSC Essential Eight. Start with patching.  

https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model

Now to Palo Alto Networks. In short, it's not just Palo Alto that has vulnerabilities. It's only that the researchers discovered a vulnerability in a Palo Alto Networks appliance and it makes for a good news headline. Although in this case, the severity of 10 critical, the highest severity rating warrants the attention.

Interestingly the researchers, Salman Khan and Cameron Duck are part of Risk and Resilience and Identity Services Teams, respectively, at Monash University in Melbourne. Great to read that Salman and Cameron fully acknowledged by Palo Alto Networks in the security advisory which you can read here.

https://security.paloaltonetworks.com/CVE-2020-2021

And this is why patching is in the Essential Eight, and not all vendor software products (or network appliances) are immune from vulnerabilities.

Here is a list of the top 50 vendors for 2019 by number of security vulnerabilities which has Microsoft at number 1 with 668 and Apple at number 11 with 229 vulnerabilities discovered. And before you call out that Apple is superior to Microsoft - you have to take consideration the number of products - not just operating systems.

https://www.cvedetails.com/top-50-vendors.php?year=2019

However, and unfortunately, there is no silver bullet.

Patching will take care of the non-state based attacks. Foreign state attacks, on the other hand, are an open field when a state-based actor discovers, or purchases and does not disclose the zero-day exploits.

Then it's game over, and you need a new strategy.

https://techbeacon.com/security/china-eats-nsas-lunch-uses-its-zero-days-year

https://www.wired.com/2015/04/therealdeal-zero-day-exploits/