Eclypsium finds security issues in Palo Alto Networks NGFWs

Eclypsium researchers uncovered multiple known vulnerabilities, security weaknesses and misconfigurations in Palo Alto Networks firewall products as notable attacks involving edge devices increase across the threat landscape.

In a blog post published on Thursday, Eclypsium revealed a litany of security issues that researchers Mickey Shkatov and Jesse Michael discovered in three Palo Alto Networks next generation firewall (NGFW) appliances: PA-3260, PA-1410 and PA-415. The researchers noted that the models they analyzed are fully supported and that the latter two are newer NGFW models.

The findings stemmed from previously disclosed third-party software vulnerabilities and security misconfigurations Eclypsium researchers discovered in Sophos, Cisco and F5 edge devices. Shkatov and Michael found that the same issues affect Palo Alto Networks firewall products, including a Secure Boot bypass vulnerability known as BootHole; six vulnerabilities in UEFI firmware from Insyde Software called InsydeH20; a set of vulnerabilities known collectively as LogoFail that affect UEFI image parsers; a PixieFail vulnerability, which affects systems that use Tianocore's EDK II UEFI implementation; an insecure SPI flash access control vulnerability; a vulnerability in the Trusted Platform Module 2.0 implementation; and a leaked keys bypass affecting Intel Boot Guard.

"We purchased multiple Palo Alto Networks security appliances, expecting a high level of security and resilience. Instead, what we found under the hood was commodity hardware, vulnerable software and firmware, and missing security features," Eclypsium wrote in the blog post. "These weren't obscure, corner-case vulnerabilities. Instead these were very well-known issues that we wouldn’t expect to see even on a consumer-grade laptop. These issues could allow attackers to evade even the most basic integrity protections, such as Secure Boot, and modify device firmware if exploited."

One of the more concerning vulnerabilities was the BootHole flaw, which affects all three Palo Alto Networks devices. In 2020, Eclypsium researchers disclosed the high-severity vulnerability, tracked as CVE-2020-10713, in Grub2, a widely used bootloader for Linus systems. BootHole exploitation could allow an attacker to manipulate Grub verification and bypass Secure Boot protections. The blog post noted that the flaw affected "billions of devices running Linux distributions and Windows systems with Secure Boot enabled."

Eclypsium documented Palo Alto Networks' response to the vulnerability in 2020, which explained that an attacker would have to compromise the system and gain root Linux privileges to exploit CVE-2020-10713 in Palo Alto PAN-OS devices. While that may have proven effective at the time, Eclypsium highlighted recent Watchtowr Labs research that showed attackers can gain root privileges on Palo Alto PAN-OS devices by chaining exploits for two vulnerabilities tracked as CVE-2024-0012 and CVE-2024-9474. Palo Alto Networks disclosed the zero-day vulnerabilities in November and warned users of broader exploitation activity.

The blog post also detailed the InsydeH20 UEFI vulnerability that can affect PA-3260. The version of the InsydeH20 software used in PA-3260 contains six previously disclosed high-severity vulnerabilities mostly related to System Management Mode (SMM). Eclypsium researchers warned that attackers could leverage the SMM flaws to escalate privileges, bypass secure boot and install malware to maintain persistence in a victim environment.

"Even if the device was configured with Secure Boot enabled (and configured properly) and the GRUB bootloader was updated to patch the BootHole vulnerabilities, attackers with high privileges on the system could exploit the vulnerabilities listed above to bypass Secure Boot and various other security protections and implant malware early in the boot process," the blog post said.

Edge devices under attack

Thursday's blog post marked Eclypsium's latest research into edge devices following significant attacks where threat actors exploited vulnerabilities in firewalls and VPNs against high-profile targets. The blog post highlighted campaigns conducted over the past year attributed to multiple Chinese nation-state threat groups including Salt Typhoon and Volt Typhoon as damaging examples.

The researchers warned organizations that the "security landscape for network appliances is far more complex and vulnerable" than they may realize. Additionally, they called for organizations to place increased focus on supply chain security as issues like those documented in the research can fall through the cracks.

To that end, Eclypsium researchers urged organizations to conduct rigorous vendor assessments, regular firmware updates and continuous device integrity monitoring.

"These findings underscore a critical truth: even devices designed to protect can become vectors for attack if not properly secured and maintained," the blog post said. "In today's evolving threat landscape, visibility at every level of the technology stack is not just advisable -- it's essential.

 Paul Asadoorian, principal security researcher at Eclypsium, told Informa TechTarget that if Palo Alto Networks had conducted a comprehensive audit and vulnerability scan of the platform, it would have discovered the bootloader and UEFI flaws.

"Palo Alto Networks is responsible for identifying and remediating vulnerabilities in the platform (hardware, firmware, and software) they ship to customers," Asadoorian said in an email. "Palo Alto has also signed the CISA Secure-By-Design pledge, which defines practices for securing the supply chain, including SBOMs, specifically stating: "Transparency should extend to firmware in embedded devices and the data and models used in AI/machine learning (ML)."

Informa TechTarget contacted Palo Alto Networks for comment but the company did not respond at press time.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.