Enterprise firmware and hardware security company Eclypsium has discovered that several firewalls from Palo Alto Networks are impacted by known BIOS and bootloader vulnerabilities.
Palo Alto Networks has addressed the claims, saying that it’s working on patches for some flaws, but pointed out that most of the security holes are either not easy to exploit or they don’t actually affect its products.
Eclypsium acquired three Palo Alto Networks appliances: PA-3260 (no longer sold, with EOL scheduled for 2028), PA-1410, and PA-415.
An analysis of the three firewalls revealed that they are all affected by BootHole, a GRUB2 bootloader vulnerability that can be exploited to install persistent and stealthy malware.
This flaw impacts billions of devices and enables an attacker to bypass the Secure Boot mechanism, but exploiting it requires elevated privileges.
In the case of Palo Alto Networks devices — as the vendor pointed out in 2020 when BootHole was disclosed — an attacker needs to compromise the PAN-OS system and obtain root Linux privileges for exploitation.
Palo Alto Networks has now reiterated that fact, but Eclypsium noted that a threat actor may be able to obtain the required permissions by combining two recently disclosed PAN-OS vulnerabilities tracked as CVE-2024-0012 and CVE-2024-9474, which have been exploited in the wild to compromise firewalls.
Eclypsium also said the PA-3260 firewall, which is no longer sold, is affected by a series of System Management Mode (SMM) vulnerabilities found in 2022 in InsydeH2O UEFI firmware from Insyde Software. The flaws can allow attackers to escalate privileges, bypass Secure Boot and other security features, install stealthy malware, and modify configurations.
Palo Alto has confirmed these vulnerabilities and noted that it’s “working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed,” pointing out that other firewalls are not impacted.
Eclypsium also found that the PA-3260 appliance is affected by the LogoFAIL vulnerabilities, which can allow hackers to compromise devices using malicious UEFI logo images.
However, Palo Alto denied that its firewalls are affected, noting that “PAN-OS is not affected as the conditions required to exploit this vulnerability do not exist in PAN-OS”.
Palo Alto has also denied that its products are impacted by the PixieFail vulnerabilities, which could allow remote code execution. Eclypsium said the PA-1410 and PA-415 appliances are impacted by PixieFail, but the vendor said its “products are unaffected since the BIOS network stack is disabled”.
Eclypsium also reported that PA-415 has “misconfigured SPI flash access controls, which could allow an attacker to modify UEFI directly and bypass other security mechanisms”.
In response, Palo Alto said, “This requires physical access to the system and tampering hardware. Conditions to exploit this vulnerability do not exist in PAN-OS. We recommend restricting physical access to the firewalls as a best practice.”
Eclypsium also pointed to impact from a leaked Intel Boot Guard key, as well as the Trusted Platform Module (TPM) 2.0 issues disclosed in 2023. Palo Alto said its products are not impacted by these issues.
Overall, Palo Alto said, “It is not possible for malicious actors or PAN-OS administrators to exploit these vulnerabilities under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines.”
It added, “Users and administrators do not have access to the BIOS firmware or permissions to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit these vulnerabilities. These vulnerabilities themselves do not allow an attacker to compromise the PAN-OS software on the firewall.”
Related: Millions of Internet Hosts Vulnerable to Attacks Due to Tunneling Protocol Flaws
Related: Prototype UEFI Bootkit is South Korean University Project; LogoFAIL Exploit Discovered
Related: Hundreds of PC, Server Models Possibly Affected by Serious Phoenix UEFI Vulnerability
