This was just in a SANS AtRisk email that I’m subscribed to. If you are using this VPN appliance please be aware of this format string vulnerability. It’s both pre-auth and also capable of remote code execution (RCE). Palo Alto was already aware of this vulnerability internally and they patched the vulnerability, begining with PAN-OS v9.0, which is now shipping with this appliance. However the appliance bought before the patch was made are most likely still running a vulnerable version of PAN-OS so please update to the latest version of PAN-OS:
This content is restricted to site members. If you are an existing user, please log in. New users may register below.