Palo Alto firewalls under attack as miscreants chain flaws for root access A flaw patched last week by Palo Alto Networks is now under active attack and, when chained with two older vulnerabilities, allows attackers to gain root access to affected systems. This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed someone …
It's simpler than that.
Firewalls are at the edge, by definition. They're always going to be accessible by the outside world because that's what they are.
They have to be really fast, as a huge amount of traffic goes through them.
Then a lot of corporates decide to enable deep packet inspection of encrypted communication.
That means the firewall is in fact a blessed MitM attack on absolutely everyone in the company, and holds certificates that every machine in the company trusts. So it can pretend to be anyone - by design.
So it's a public target, with the most external bandwidth, powerful processing, and capable of taking over the entire company on its own.
And thus it's worth spending a huge amount of resources attacking - and as nothing is perfect, issues will be found.
>They're always going to be accessible by the outside world
I disagree, being able to ping a firewall is in no way equivalent to it being "accessible" to the extent described in this article.
The fact that it's located at the border is also irrelevant as long as it doesn't expose any services to the outside world.
The only issue with Palo Alto is that they employ PHP developers to develop its management interface and then allow said interface to be accessed over anything but a serial interface. If it can be accessed over Ethernet then it will be accessed over the Internet, whether you intended that or not.
I'm seeing a pattern, but it might be a hallucination. Referring to Rupert Goodwins epic - "Time to make C the COBOL of this century - Lions juggling chainsaws are fun to watch, but you wouldn't want them trimming your trees". For one, I think chain flaws probably has nothing to do with C.
Or a massive hazard with a known risk, approaching certainty, of exploitation.
A bit last century I suppose but I blanch at the thought of placing these over complicated devices on the network border. To my mind that function would be more securely served by simpler devices that implemented relatively static but broad bedrock security policies with the more complicated devices placed in network enclaves between the routers/firewalls of the internal networks and the border device. Roughly the DMZ architecture of yore.
I still have a fondness for screening bridges the headless monks of network traffic filtering.
A bit last century I suppose but I blanch at the thought of placing these over complicated devices on the network border.
They are referring to the management interface of the firewall.
Most network systems have a management interface nowadays, helps separate management traffic from data.
Pop that management interface on a secure internal network and it reduces the risk of the system getting pawned across the internet as it would typically not respond to management traffic on an interface that is not the management interface.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
