Palo Alto Networks has acknowledged that some of its next-generation firewalls running the PAN-OS operating system are suddenly rebooting.
“There was an issue on certain older versions of PAN-OS where the system could crash when handling very specific traffic conditions,” the company told Network World. “This was resolved in hotfix 11.1.4-h12,” which was released with limited availability on Jan. 31.
Affected devices are running version 11.1.4-h7/h9 of the operating system.
“We are currently validating an additional unrelated regression fix in hotfix 11.1.4-h13. Our goal is to release this as a generally available (GA) update by Feb. 20 or sooner. This will ensure all systems are fully optimized and secure with the latest updates,” the statement said.
A “very small number of our customers have experienced this issue,” it added. “If a customer believes they are impacted, they should reach out to our support organization for guidance on the hotfix.”
The company didn’t reply to questions on when the problem was discovered and why there is only limited availability for hotfix 11.1.4-h12.
As for what caused the problem, the company said that won’t be detailed “for security reasons.”
“We encourage customers with specific concerns related to their environments to reach out to our support teams, who are fully prepared to assist,” the statement said.
The issue came to light after some Palo Alto Networks customers posted complaints this week on a Reddit forum. “We had 3 of our 8 firewalls unexpectedly reboot in the past few months,” wrote one person. Another Reddit poster said the issue only happens if the firewall is set to do SSL interception..
“I guess it makes it more difficult for the bad guys to exploit the numerous vulnerabilities if the device keeps rebooting,” said Johannes Ullrich, dean of research at the SANS Institute.
He suspects this is a bug and not something caused by a specific cyber attack. “Firewalls may reboot if they run low in system resources like memory or are hit with a specific packet that triggers a denial of service condition,” he wrote in an email. “Yes, it is possible that a more severe vulnerability, if exploited not quite correctly, causes this, but I would guess at this point that this is not a specific attack.”
Separately, last month researchers at Eclypsium reported that next-generation firewalls they examined from Palo Alto Networks contain years-old known vulnerabilities in their UEFI firmware. UEFI includes the low-level code responsible for initializing a computer’s hardware before loading the operating system installed on the hard drive.
The discovered issues also included insecure configurations that have been known for years, and that could be exploited by attackers with root access on the devices to implant malicious code into the low-level firmware or bootloader.