Palo Alto Networks Security Advisories / CVE-2018-5391

CVE-2018-5391 Information about FragmentSmack findings

047910
Severity 7.5 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH

Description

Palo Alto Networks is aware of recent vulnerability disclosure, known as FragmentSmack, that affects Linux kernel 3.9 and later. At this time, our findings show that some Palo Alto Networks devices running specific versions of PAN-OS are vulnerable to this disclosure. (CVE-2018-5391). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities.

A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. To exploit this vulnerability a remote attacker could send specially crafted packets that trigger time and calculation expensive fragment reassembly algorithms and cause CPU saturation (a denial of service on the system). This only affects the Management Plane of PAN-OS.

This issue affects PAN-OS 6.1.21 and earlier running on PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050. PAN-OS 7.1.19 and earlier running on PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 and PA-7080. PAN-OS 8.0.12 and earlier running on PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-7050 and PA-7080. PAN-OS 8.1.4 and earlier running on PA-200, PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5220, PA-5250, PA-5260, PA-5280, PA-7050 and PA-7080.

Product Status

VersionsAffectedUnaffected
PAN-OS 8.1<= 8.1.4>= 8.1.5
PAN-OS 8.0<= 8.0.12>= 8.0.13
PAN-OS 7.1<= 7.1.19>= 7.1.20
PAN-OS 6.1<= 6.1.21>= 6.1.22

Severity: HIGH

CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness Type

CWE-20 Improper Input Validation

Solution

PAN-OS 6.1.22, PAN-OS 7.1.20 and later, PAN-OS 8.0.13 and later, and PAN-OS 8.1.5 and later.

Workarounds and Mitigations

This issue affects the management interface of PAN-OS. Our best practices guidelines strongly mitigate exposure to this vulnerability and reduce the exposure of the management interface to other potential threats. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/best-practices-for-securing-administrative-access.

© 2020 Palo Alto Networks, Inc. All rights reserved.