Firm Held Onto Palo Alto VPN Zero-Day for 11 MonthsPalo Alto Networks Has Patched, Says No Evidence of Exploitation
A penetration testing company discovered a critical zero-day vulnerability in Palo Alto Networks' GlobalProtect VPN product but did not inform the company until about 11 months later, which has triggered some criticism.
Randori is a startup founded in 2018 and based in Waltham, Massachusetts. Randori defended its actions, saying it ethically used the vulnerability information to develop an exploit that helped test the defenses of its clients. But the company has been criticized for withholding the information from Palo Alto Networks for too long, putting users of its VPN product at risk.
Palo Alto Networks has issued a patch for the buffer overflow vulnerability, CVE-2021-3064, which ranks a 9.8 on the CVSS v3.1 scale. The vulnerability affects PAN-OS 8.1.17 and prior, which is the operating system for Palo Alto Networks firewalls in which the Global Protect VPN portal or gateway has been enabled.
Palo Alto Networks says the flaw could enable "an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges." An attacker would need network access to the GlobalProtect interface in order to exploit it.
According to its write-up and timeline, Randori discovered the buffer overflow on Nov. 19, 2020, and an HTTP smuggling capability, which was used in the exploit chain, a day later. Randori told Palo Alto Networks of the buffer overflow on Sept. 22 and the HTTP smuggling issue on Oct. 11.
Software companies want security researchers to promptly report vulnerabilities and keep that information secret until a patch can be deployed. Not reporting the vulnerability promptly to Palo Alto Networks increased the chance that other threat actors might discover it and abuse it. In an era of growing breaches and intrusions, it's a potentially risky trade-off.
Luckily that doesn't appear to be the case here. In its own advisory, Palo Alto Networks says it isn't aware of any malicious exploitation of the flaw. But upward of 10,000 instances were vulnerable as of Wednesday, when Palo Alto Networks issued a patch, Randori says.
Palo Alto Networks didn't comment directly on Randori's disclosure process. But Nicholas Weaver, a computer security researcher and lecturer at the University of California at Berkeley, called it "abhorrent."
I personally find this behavior abhorent. I don't know which is worse, however, the red-team vendor sitting on an 0-day or a network security vendor shipping code with stack overflows and no mitigations enabled.— Nicholas Weaver (@ncweaver) November 11, 2021
Randori: 'Ethical' Use of Zero-Days
This flaw was particularly dangerous, as many companies still rely on VPNs for employees working remotely to access their systems. Also, this type of software flaw would be of great use to ransomware gangs and their affiliates.
In a chat with ISMG, Randori's principal scientist, Aaron Portnoy, says that "certainly if we ever even suspect that [a] vulnerability is being used by nefarious parties, we'd want to facilitate its patching."
The controversy over the delay in reporting was addressed in a blog post by David Wolpoff, who is Randori's chief technology officer. He contends that the use of zero-day exploits is essential for testing the security defenses of companies.
"Companies face zero-day threats every day, but there have been far fewer opportunities to test resilience against such attacks," Wolpoff writes. "Red team tools and techniques, including zero-day exploits, are necessary to the success of our customers and the cybersecurity world as a whole."
Portnoy says that it's difficult and sometimes impossible to simulate a realistic attack scenario without the use of flaws like the one in GlobalProtect. Using flaws for which there are no patches can test whether other security tools might detect intrusions.
"Randori has customers who've been hit by 'real' hackers with zero-day exploits," Portnoy says. "And when we consider testing those scenarios, there's no real way to simulate. The only way to provide the experience is to provide it."
But there are risks in that valuable software flaws and exploits could leak. In March, an exploit that used several vulnerabilities in Microsoft's Exchange server leaked, resulting in widespread exploitation, and in some cases, ransomware. The U.S. government blamed China (see: How Did the Exchange Server Exploit Leak?).
Wolpoff acknowledged the risks of holding valuable offensive tools.
"However, like any offensive tooling, vulnerability information must be handled carefully and with the respect it is due," he writes. "Our mission is to provide a highly valuable experience to our customers, while also recognizing and managing the associated risks."