Palo Alto Networks Security Advisories / CVE-2018-3665

CVE-2018-3665 Information Disclosure in WildFire Appliance (WF-500)

047910
Severity 5.6 · MEDIUM
Attack Vector LOCAL
Scope CHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE

Description

Palo Alto Networks has determined that the WildFire Appliance (WF-500) is affected by the vulnerability disclosure known as LazyFP and has completed an update to address these issues. The WildFire Appliance (WF-500) software update is now available to customers that use the WildFire Appliance (WF-500) for on-premise sandboxing. Please note that customers using the WildFire cloud service are NOT impacted by this advisory. (PAN-99016/CVE-2018-3665)

Successful exploitation of this issue may allow reads from a compromised sandbox VM (guest OS) to retrieve data from other VMs (another guest OS) or the PAN-OS operating system (host OS) as a result of breaching the separation between kernel and user address space. The analysis method utilized by the WildFire Appliance (WF-500) and WildFire Cloud helps to mitigate the impact of this issue. Each virtualized file analysis session is unique and each session is terminated and destroyed after analysis is complete. The uniqueness of each file analysis session coupled with the limited amount of time allowed to execute an attack within the environment limits the scope of impact that the attacker can have on the sandbox VM (guest OS) and the PAN-OS operating system (host OS).

This issue affects WildFire Appliance (WF-500) running appliance software all versions of 7.1, versions 8.0.17 and earlier, and versions of 8.1.8 and earlier.

Product Status

VersionsAffectedUnaffected
WildFire Appliance 9.0None>= 9.0
WildFire Appliance 8.1<= 8.1.8>= 8.1.9
WildFire Appliance 8.0<= 8.0.17>= 8.0.18
WildFire Appliance 7.17.1

Severity: MEDIUM

CVSSv3.1 Base Score: 5.6 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

Weakness Type

CWE-200 Information Exposure

Solution

WildFire Appliance (WF-500) software version 8.0.18 and later and 8.1.9 and later.

Please note: WildFire Appliance (WF-500) software versions 9.0 and later are not impacted by this advisory.

The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack.

For WildFire Appliance (WF-500) software versions 7.1 and earlier, please consult the Administrator’s Guide for steps to upgrade (https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/set-up-and-manage-a-wildfire-appliance/upgrade-a-wildfire-appliance#idbce6a8ca-f900-4a49-b28b-de089139ce93).

Workarounds and Mitigations

Customers not using the WildFire Appliance (WF-500) are not impacted by this advisory. Customers using the WildFire cloud are not impacted by this advisory.

© 2024 Palo Alto Networks, Inc. All rights reserved.