is it just the me or have there been an insane amount of vulnerabilities in the last couple weeks/months? ps: love the idea of a what-if-they-used-rust-o-meter lmao
I believe this is because we have more cybersecurity specialists than ever before, and there are many more devices and features that involve an internet connection
@@31redorange08 not trying to project. i have been more interested in this topic lately, so idk if this was simply content algorithms (over)doing their job
A firewall with telemetry??? This sounds like an April fools' vulnerability but I'm afraid it's not. And they have the nerve to tell customers to switch telemetry back on once this fiasco has been fixed. Incredible.
Asking the users to turn telemetry back on is the icing on the cake. Why would a company want to keep a feature enabled that 1. Isn’t useful to them, 2. Had previous vulnerabilities? It seems pretty dumb.
@@henryptung exactly! wtf! why?! Surely telemetry just opens a port (with only sending allowed) -> send packet -> close port. Why can it even BE injected? doesn't that imply a 2-way communication? if so, why is telemetry process expecting to receive anything? receiving data is literally the opposite of its purpose.
i saw about this exploit and was like why is there no coverage on it, but then i realised that it was literally out of the over so fresh that not many people had covered. glad you dropped this video
I'm pretty sure in this case it's telemetry for the local admins. Having your firewall phone home (and open extra ports because of it) sounds like the dumbest idea ever.
I'm relatively new to this channel but absolutely love the balance of detail and brevity. It may just be a perfect mix for my knowledge level but it's incredibly valuable. 🎉 Thank you!
All the firewall vulnerabilities I've seen have been for attacks on the management plane/OS of the firewall. I have not heard of an attack that is able to circumvent the firewall directly. I'd love to know if anyone else has heard of one.
Putting this everywhere since the video is a few days old. GlobalProtect is a, really annoying, VPN. Meaning the firewall itself is a server with a port open to the internet.
What would have helped is data tagging to spot a lack of sanitization. Tools like Coverity would have flagged this. Of course, another thing that would have helped is a focus on simplicity. Every feature added is a potential attack surface. Security products that we pay a lot for are sort of oxymorons, Palo Alto Networks is no exception. For the companies to survive, they must constantly add a steady drip of features that their largest customers ask of them, sometimes even just one large customer. And this is a steady drip of increasing attack surface. The best development pattern for something like a firewall core is a fixed mission with low feature creep from a reputable, steadily funded team. Something like OpenBSD.
It is worth pointing out although they say Firewall, the issue appears to be when the VPN Endpoint and Telemetry are enabled. Because they have signatures for it, that hints at the firewall aspect is not the issue, but probably based around the authentication of remote users. As I am a long tooth to me a firewall is a firewall and should not be having other modules shoehorned in, as Citrix NetScalers seem to have exponentially more advisories when they are acting as a VPN endpoint
So we have a closed source OS with telemetry, that has a root code execution vulnerability in a device whose role it is to literally monitor the entire network traffic 24/7. Coolio
You forgot, GlobalProtect is the VPN built into the firewall, so that's an external port open to the world. Oh, and the firewall is designed to and often used to MITM secure traffic on corporate networks...
I don't see corporate network admins looking over this and saying, "oh, we'll leave this enabled" while configuring their stuff, so I hope that lessens the impact
Even though I don't have any issues with Palo Alto, and they have a super valid usage of telemetry, just being able to say the sentence "There's a command injection in their telemetry" gives me catharsis.
So... I think there is a common theme here where a category of security issues arise from not tracking the source of data, and requiring data from untrusted sources to be sanitised before it can be passed on to a potentially scary sink. Rust's ownership model provides one possible tool for this. I think Perl used to have a system for tracking tainted data. There are solutions to this problem that can be enforced mechanically. But the lowest level APIs tend not to do this, and of course, those are the ones most people will hit.
will we ever be able to write code without vulnerabilities? I feel like its a matter of time before something fundamental gets exploited and harms everything.
Nope. It's impossible to avoid vulnerabilities and bugs at some point no matter how perfect code you write. We are humans after all. It's hard to identify whether one has vulnerability against something.
@@ishanjaiswal9041 forget nuclear war. i wonder if the internets vulnerabilities themselves are a ticking timebomb, waiting for someone clever and malicious enough to deal catastrophic damage
I had a thought during the week. That is you cannot just go and buy security. Companies sell the feeling of security but it's best effort and no guarantees that what you are buying isn't riddled with security vulnerabilities. I like the way QubesOS describes themselves as a reasonably secure OS. We can always do better and will never be secure. It's all about making attackers jobs harder.
In a video awhile ago you recommended a website that taught about mostly Linux C-style memory exploits. I forget the name currently. Given that memory safety is the new thing is there any point of really grinding that out now? It's going through like buffer overflows, exploiting the stack or function address table... Etc. seems like that will be outdated?
Is it possible to show the vulnerability in the sourcd code? I feel like without explaining how it got introduced and what should be done instead... I am not learning anything for me.
@@Sypakasoftware, firmware, microcode, and chip. A chip level defect is the worst, especially if it is a kind that cannot be mitigated by microcode or other patch.
If a firewall inspects packets, then is it theoretically possible that a firewall gets exploited because they parsed/inspected a certain malicious packet? I mean in principle 🤔
i feel like finding out about all of these these volnitabilitues all the time is going to give me some sort of depression at some point P. S. I mean, when you learn that one thing became not safe, another one did and you need to update it in the future, and so on. Like, nothing feels secure
Why didn't they wait until a patch was available to release the info about the vulnerability? With a lot of software things are like here is a vulnerability and here is the patch. With open source projects you can later see emails about the vulnerability dated way before the disclosure date.
"Oh whoops how careless we left a 'debugging feature' enabled which allowed remote code execution" said yet another network appliance/firewall/switch manufacturer
So, they had a backdoor that they put their on purpose and someone other than them found it. That is the only conclusion i can get from this coming from telemetry
The only firewall I trust is iptables. Though the rules are not that easy to write, it takes only a few pieces of data from incoming packets. Parsing application layer stuff should be done by the program dealing with the traffic AND without root permissions. Complex listeners with way too much useless automation have been proven dangerous countless times.
The problem is that firewalls on a host are not that easy to configure on a large scale, also doesn't support rules based on DNS, no real threat intelligence.
You only need a very few rules of thumb to prevent this kind of vulnerability. (1) Don't run code as root if it isn't totally necessary. (2) Don't read in arbitrary amounts of data. (3) Check incoming data for plausibility. (4) Check incoming data for escape sequences and delimiters and delete or ignore such data. (5) Don't stuff incoming data into a system command that you run. (6) Use all the length-limited string functions, the ones with a "n" in them, with the right n limit. (7) Check each and every use of an array to ensure no index gets out of bounds. (8) Check each pointer to ensure it's not null or some wild value.
Unplugging the server and ups from the wall also provides perfect security except for cases of physical access. I do agree with most of what you say to be fair.
Imagine running remote applications on a firewall... It is like they want to get hacked.. Like really? Firewall should have NO services, NO local connections out to the network(s) at all besides the needed for getting network conffig from ISP. Pref not even that. A static config is pref to avoid MitM exploits. It should only bee filtering the network traffic and nothing else..
Rust would probably not have solved this, but it could if the vulnerability comes from usage of something as dumb as PHP system(), or something else which sends commands to the shell instead of directly to input arguments of a program.
Indeed, software is software, software is buggy and therefore, software will have a vulnerability somewhere, so even Palo Alto isnt invulnerable (sorry) to issues like these
Frankly I'm not surprised, screw Palo Alto. PA is so outdated and behind the current technologies and quality of life for their Network Security Engineers. Cisco and Checkpoint all the way!
"But, can your firewall get hacked?" Let's see...is your firewall a piece of software written using libraries that may or may not have vulnerabilities that can be exploited by hackers? If the answer is "Yes" then yes, your firewall can get hacked. Essentially, any piece of code that allows for - by whatever means - the reading and processing of data, is a target for hackers.
Honestly, same. I was about to go see if my distro had a patch/update, when im like lets just watch the first few minutes and check, so glad it's not netfilter/iptables.
@@fenix849 Haven't switched to nft yet? It's really good! I just hate that you can't remove iptables on every distro yet. One of the reasons why I switched to OpenBSD. Though their pf is shit. Don't let them fool you. It's completely backwards. Anyway, about nftables. If you switch, unlike pf, where you have to pretend it's iptables, in nft you have to think in ipv4 and ipv6, not in tables. Make one table for each and that's it, otherwise you can't use your sets in nat and filter at the same time.
It's a skill issue on the part of the developers, as well as overreach from the company. Telemetry is nearly always a bad thing that shouldn't be incorporated into any products, but there are tools that can check vulnerabilities in software which should have been used but clearly were not. And processing commands taken from external input should require far more scrutiny than it usually does, these moroffs just haven't gotten the message yet. They're not the only ones either, they're just the most recent to be discovered. It'll happen again and again and it won't matter what language they're using, Rust or otherwise, it's an overall skill issue. If anyone does read this they'll think that I'm saying the particular error here could have been checked by existing tools even though that's not what I'm saying, and they won't read this last sentence to see a clarification.
Soooo. What are the other firewalls affected? Is that not what is alluded to with the title of the video? Other than the paloalto os', I didn't see any others listed...
I don't give a fuck how popular they are why tthe fuck is telemetry on by default?! This isn't fucking Windows, this is my god damn firewall, I haven't even gotten to the point where I need a standalone firewall, but if they're phoning home by default they can kiss me as a customer goodbye
One thing to be aware of this is also likely affecting the Prisma access SASE devides hosted by Palo Alto as they are just VM series NGFW under the hood.
I've seen some people diss telemetry, but in some cases it can be a really great tool. Telemetry doesn't always mean someone selling your data to ad companies. In this case, off the top of my head, that telemetry can be used to identify ongoing attempts to bypass security. Then because of telemetry, they can see it happen across the entire US and send out an advisory. Or it can be used to identify behaviour in the past that may have been indicative of a hack in situations where a 0 day with a specific signature is discovered.
Mmm... It makes me wonder, because telemetry in the windows sense would not provide an open port on the unsafe side of the firewall... It'd just connect directly to Palo Alto's servers and not provide an angle for arbitrary remote bad actors to get in. So this means it is either meant for the net admins to access data on their firewall remotely (which if you have any real security needs you should disable that and make it accessible LAN-side or VPN-side only), or... It's a backdoor for Palo Alto to use to get in, which might have a legitimate business use (helping unskilled admins configure their firewall), but it's also something any good admin who has half a clue what they're doing should turn off, specifically because of how much it increases your attack surface. Either of these are pretty similar to just allowing remote logins on a direct connection. Now, it's been a while since I used Palo Alto, so I don't remember if their firewalls had such features off the top of my head, but I know for sure the secure environment I was working in would have them disabled. But not every business *needs* a rigid security posture... And a lot will readily compromise security for ease of use, like... Paying Palo Alto themselves to configure a fire wall instead of paying an ongoing employee with enough skill to do more than the most basic daily admin tasks themselves. I've actually worked at a place that was *frustrated* by me having a similar skill level to the people on the expensive remote management contract they were paying for, and I got dressed down for fixing things myself instead of calling them and twiddling my thumbs while on hold.
@@psiah9889It’s becoming increasingly more prevalent to see people not being allowed to work on the things that they have for their own organization. We go through the same thing here and it’s so frustrating knowing we can fix it, yet we’re on a multiple day wait for the company to get back with us to fix something
It should not be enabled on a firewall. A firewall is a device where security is very important, so minimizing the attack surface of the software running on it is important. Telemetry is a part of the application that is interacts with the network, which increases the attack surface and potential for vulnerabilities. Telemetry is not the same thing as logging and isn't necessary.
People have proven capable of writing exploitable code on pretty much any language, be it memory safe or not. Why do you think languages such as Rust with a way more complex syntax and use will suddenly make things better? The only change I see is type of mistakes being made. Command injection is for scripts, they are memory safe, and yet we have 10 out of 10 score. Get my point?
![Lp. Сердце Вселенной #1 НАЧАЛО ПУТЕШЕСТВИЯ [Новый сезон] • Майнкрафт](http://i.ytimg.com/vi/380Q7gLWGvk/mqdefault.jpg)
is it just the me or have there been an insane amount of vulnerabilities in the last couple weeks/months?
ps: love the idea of a what-if-they-used-rust-o-meter lmao
It's not necessarily more, but the impact of the vulnerabilities seems to be higher...
I believe this is because we have more cybersecurity specialists than ever before, and there are many more devices and features that involve an internet connection
It's just you. Stop projecting.
It's not just you
@@31redorange08 not trying to project. i have been more interested in this topic lately, so idk if this was simply content algorithms (over)doing their job
I changed my wifi network names to my credit card and banking details, preventing the need for being hacked to enter my network entirely! #science
🧠🧠 Ohio level IQ moment
brilliance
I think your sentence is reversed. It sounds like you meant to say "to prevent the need to enter my network to steal my card" ;)
@@MyAmazingUsername I didnt understand anything of that comment, can you please explain what he meant to say?
@@NachitenRemix Putting his credit card number as wifi name to save the hacker's time. 💀
This issue somehow related to a "telemetry" feature looks like a disguised backdoor to me, don't know why
like the robot bees in Black Mirror
wonder why so many exploit and bugs have been found in such short time, perhaps the linux exploit raised the auditing level to overdrive?
Not a bad thing imo, better than them being found by bad actors first
AI tools are finding them.
@@ianvecmanis5642 lol not today, not today
@@ianvecmanis5642 from what i've seen the AI tools currently most of the time just point to pointless stuff and lead to clutter in bugtracker
@@ianvecmanis5642 Ain't no way.
A firewall with telemetry??? This sounds like an April fools' vulnerability but I'm afraid it's not. And they have the nerve to tell customers to switch telemetry back on once this fiasco has been fixed. Incredible.
That’s why we make our own!
Asking the users to turn telemetry back on is the icing on the cake. Why would a company want to keep a feature enabled that 1. Isn’t useful to them, 2. Had previous vulnerabilities? It seems pretty dumb.
Telemetry is replacing snmp? Which have been around in network proucts forever
Telemetry...with root privilege
@@henryptung exactly! wtf! why?! Surely telemetry just opens a port (with only sending allowed) -> send packet -> close port. Why can it even BE injected? doesn't that imply a 2-way communication? if so, why is telemetry process expecting to receive anything? receiving data is literally the opposite of its purpose.
device telemetry...
... do I have to be that guy?
thats where the NSA and Mossad get in through the backdoor
@@yeetyeet7070 based noticer
telemetry is an opt-in feature for Palo Alto firewalls. But yeah, I share your concerns.
i saw about this exploit and was like why is there no coverage on it, but then i realised that it was literally out of the over so fresh that not many people had covered. glad you dropped this video
Damn, NSA is taking a lot of losses recently.
I'm afraid they're probably discovering new exploits faster than their existing ones are getting fixed.
All kinds of backdoors being discovered.
I'm pretty sure in this case it's telemetry for the local admins. Having your firewall phone home (and open extra ports because of it) sounds like the dumbest idea ever.
it's for a feature called AiOps to do best practice assessments and collect system utilization of many firewalls on a cloud based platform
I'm relatively new to this channel but absolutely love the balance of detail and brevity. It may just be a perfect mix for my knowledge level but it's incredibly valuable. 🎉 Thank you!
I really love the would-rust-have-fixed-this-meter. That sounds like a great idea!
This video made me remember to turn on and configure my firewall. I turned off my firewall half a year ago because of kde connect and forgot about it.
This is turning out to be the year of vulnerabilities
Just wait for next year, you haven`t seen anything yet ^^
I say that every year
Can't get firewall hacked if you don't use a firewall. * _taps head_ *
All the firewall vulnerabilities I've seen have been for attacks on the management plane/OS of the firewall. I have not heard of an attack that is able to circumvent the firewall directly. I'd love to know if anyone else has heard of one.
No because direct circumvention is an oxymoron
Putting this everywhere since the video is a few days old. GlobalProtect is a, really annoying, VPN. Meaning the firewall itself is a server with a port open to the internet.
Been here for a while and really enjoying your videos, keep it up :)
Reminds me of the 2019 cve for netscaler and how every body thought they didnt need additional firewalls.
This CVE took my entire morning!
What would have helped is data tagging to spot a lack of sanitization. Tools like Coverity would have flagged this.
Of course, another thing that would have helped is a focus on simplicity. Every feature added is a potential attack surface. Security products that we pay a lot for are sort of oxymorons, Palo Alto Networks is no exception. For the companies to survive, they must constantly add a steady drip of features that their largest customers ask of them, sometimes even just one large customer. And this is a steady drip of increasing attack surface.
The best development pattern for something like a firewall core is a fixed mission with low feature creep from a reputable, steadily funded team. Something like OpenBSD.
Agreed on the "one thing" part. GlobalProtect is a VPN feature. At the least, it should be containerized compared to the rest of the firewall.
It is worth pointing out although they say Firewall, the issue appears to be when the VPN Endpoint and Telemetry are enabled.
Because they have signatures for it, that hints at the firewall aspect is not the issue, but probably based around the authentication of remote users.
As I am a long tooth to me a firewall is a firewall and should not be having other modules shoehorned in, as Citrix NetScalers seem to have exponentially more advisories when they are acting as a VPN endpoint
A painful VPN at that. The worst part is I'm pretty sure, for some companies, the second choice from GlobalProtect is to use the NetScaler boxes...
Ah *Telemetry* i always knew this is a PLANNED backdoor into every software, i disabled mine in Windows
I did the same thing by switching to Arch Linux
I don't think you can fully disable telemetry in Windows
@@adamk.7177 Can't afford that move right now
@@adamk.7177btw
@@zokalyx yes, windows still collect info, mostly about errors
So we have a closed source OS with telemetry, that has a root code execution vulnerability in a device whose role it is to literally monitor the entire network traffic 24/7. Coolio
You forgot, GlobalProtect is the VPN built into the firewall, so that's an external port open to the world. Oh, and the firewall is designed to and often used to MITM secure traffic on corporate networks...
This one is used by like every big manufacturing and tech company. I wonder who has been sipping the secrets away.
Very good concise explanation good for young folks starting out!
People acting like day zeroes don't exist in multiples right now(as they always have) . They just haven't been found yet by the "good guys."
"...firewalls are just code, just software on the firewall written by humans..." Well, probably, and hopefully for a long time going forward.
I don't see corporate network admins looking over this and saying, "oh, we'll leave this enabled" while configuring their stuff, so I hope that lessens the impact
I have a PanOS in my home network, will need to check the version when I get home
Even though I don't have any issues with Palo Alto, and they have a super valid usage of telemetry, just being able to say the sentence "There's a command injection in their telemetry" gives me catharsis.
I don’t understand if this is for all firewalls or just this pan-os and if this is for Linux in general?
The XZ situation really is having some ripples, huh? Another vulnerability found in such a short time.
So... I think there is a common theme here where a category of security issues arise from not tracking the source of data, and requiring data from untrusted sources to be sanitised before it can be passed on to a potentially scary sink. Rust's ownership model provides one possible tool for this. I think Perl used to have a system for tracking tainted data. There are solutions to this problem that can be enforced mechanically. But the lowest level APIs tend not to do this, and of course, those are the ones most people will hit.
I was not expecting this to be about palo alto. Dam.
Love these videos!
Ahh yes.. a "bug" in the telemetry service, of course
will we ever be able to write code without vulnerabilities?
I feel like its a matter of time before something fundamental gets exploited and harms everything.
Nope. It's impossible to avoid vulnerabilities and bugs at some point no matter how perfect code you write. We are humans after all.
It's hard to identify whether one has vulnerability against something.
@@ishanjaiswal9041 forget nuclear war. i wonder if the internets vulnerabilities themselves are a ticking timebomb, waiting for someone clever and malicious enough to deal catastrophic damage
I had a thought during the week. That is you cannot just go and buy security. Companies sell the feeling of security but it's best effort and no guarantees that what you are buying isn't riddled with security vulnerabilities. I like the way QubesOS describes themselves as a reasonably secure OS. We can always do better and will never be secure. It's all about making attackers jobs harder.
Business as usual 😊
There . . i was waiting for this.. but then.. i got no Palo-Alto FW ..
does this bleed through into other FW applications
The reason RUST's bug doesn't really feel like a 10/10 bug is because the prolem is not an issue that even should be fixed by the language you use.
Can it RCE with root because the firewall is running as root?
In a video awhile ago you recommended a website that taught about mostly Linux C-style memory exploits. I forget the name currently.
Given that memory safety is the new thing is there any point of really grinding that out now? It's going through like buffer overflows, exploiting the stack or function address table... Etc. seems like that will be outdated?
Is it possible to show the vulnerability in the sourcd code? I feel like without explaining how it got introduced and what should be done instead... I am not learning anything for me.
I want to know what an 11/10 vulnerability looks like
The same, but in something safety-critical. For instance in Industry.
One that makes a poweplant go poof
It would be a vulnerability, which is unable to be patched just by code alone.
@@Sypakasoftware, firmware, microcode, and chip. A chip level defect is the worst, especially if it is a kind that cannot be mitigated by microcode or other patch.
How ro know if my firewall data has sent to attacker or not? I see some output for grep command.😮
Part of me makes me wonder, is this actually a bug, or did someone just find their backdoor which is part of their telemetry?
is any rust course coming soon to the academy ?
If a firewall inspects packets, then is it theoretically possible that a firewall gets exploited because they parsed/inspected a certain malicious packet?
I mean in principle 🤔
Welp this one is huge. I wonder how long it has been exploited for.
damn, we are getting new bugs on a daily basis,
a bug a day keeps the your personal data on fire.
they're FINDING them on a daily basis, you always had them though, they just went unnoticed longer
i feel like finding out about all of these these volnitabilitues all the time is going to give me some sort of depression at some point
P. S. I mean, when you learn that one thing became not safe, another one did and you need to update it in the future, and so on. Like, nothing feels secure
Never heard of Palo Alto firewalls, I used only ipfw, ipf, pf and iptables.
Perhaps the garbage telemetry was the way in.
Most of the network devices use old kernels and old software stack, so it is buggy.
Why didn't they wait until a patch was available to release the info about the vulnerability? With a lot of software things are like here is a vulnerability and here is the patch. With open source projects you can later see emails about the vulnerability dated way before the disclosure date.
Because there are workarounds. Disable telemetry, enable the specific threat ID in the Vulnerability profile, etc
that can only be fixed by not even being turing complete to begin with, aka, don't ever have command as input.
"Oh whoops how careless we left a 'debugging feature' enabled which allowed remote code execution" said yet another network appliance/firewall/switch manufacturer
Palos also use Redis and MongoDB
So, they had a backdoor that they put their on purpose and someone other than them found it. That is the only conclusion i can get from this coming from telemetry
The only firewall I trust is iptables. Though the rules are not that easy to write, it takes only a few pieces of data from incoming packets. Parsing application layer stuff should be done by the program dealing with the traffic AND without root permissions. Complex listeners with way too much useless automation have been proven dangerous countless times.
something might just peddle through - with or without iptables..
Next: CVE in iptables by a backdoor using some wierd ass obscure lib
The problem is that firewalls on a host are not that easy to configure on a large scale, also doesn't support rules based on DNS, no real threat intelligence.
was this a bug..... or a feature? :)
You only need a very few rules of thumb to prevent this kind of vulnerability.
(1) Don't run code as root if it isn't totally necessary.
(2) Don't read in arbitrary amounts of data.
(3) Check incoming data for plausibility.
(4) Check incoming data for escape sequences and delimiters and delete or ignore such data.
(5) Don't stuff incoming data into a system command that you run.
(6) Use all the length-limited string functions, the ones with a "n" in them, with the right n limit.
(7) Check each and every use of an array to ensure no index gets out of bounds.
(8) Check each pointer to ensure it's not null or some wild value.
Unplugging the server and ups from the wall also provides perfect security except for cases of physical access. I do agree with most of what you say to be fair.
They deserve this for inventing prisma cloud
Imagine running remote applications on a firewall...
It is like they want to get hacked..
Like really?
Firewall should have NO services,
NO local connections out to the network(s) at all besides the needed for getting network conffig from ISP.
Pref not even that.
A static config is pref to avoid MitM exploits.
It should only bee filtering the network traffic and nothing else..
There's so many bots/spammers ._.
Rust would probably not have solved this, but it could if the vulnerability comes from usage of something as dumb as PHP system(), or something else which sends commands to the shell instead of directly to input arguments of a program.
I like telemetry... Sooo much winning 😂
Indeed, software is software, software is buggy and therefore, software will have a vulnerability somewhere, so even Palo Alto isnt invulnerable (sorry) to issues like these
Quick boys! New vulnerability just dropped!
Frankly I'm not surprised, screw Palo Alto. PA is so outdated and behind the current technologies and quality of life for their Network Security Engineers.
Cisco and Checkpoint all the way!
"But, can your firewall get hacked?" Let's see...is your firewall a piece of software written using libraries that may or may not have vulnerabilities that can be exploited by hackers? If the answer is "Yes" then yes, your firewall can get hacked. Essentially, any piece of code that allows for - by whatever means - the reading and processing of data, is a target for hackers.
So the Indian Tech Support Scammers were right, I DID need a new firewall.
What Rust doesn't fix is dangerous
iptables baby
Once again, a telemetry is the root cause of all evil.
inb4 it was Rust all along
And I thought there was a netfilter issue or pf even.
Honestly, same. I was about to go see if my distro had a patch/update, when im like lets just watch the first few minutes and check, so glad it's not netfilter/iptables.
@@fenix849 Haven't switched to nft yet? It's really good! I just hate that you can't remove iptables on every distro yet. One of the reasons why I switched to OpenBSD. Though their pf is shit. Don't let them fool you. It's completely backwards.
Anyway, about nftables. If you switch, unlike pf, where you have to pretend it's iptables, in nft you have to think in ipv4 and ipv6, not in tables. Make one table for each and that's it, otherwise you can't use your sets in nat and filter at the same time.
When a collab with John Hammond?
*another* Palo Alto vulnerability? Deja vu...
Cases like this confirms my opinion that open source firewalls are way better for business
Use two different firewalls so If it passes one there is another!
It's a skill issue on the part of the developers, as well as overreach from the company. Telemetry is nearly always a bad thing that shouldn't be incorporated into any products, but there are tools that can check vulnerabilities in software which should have been used but clearly were not. And processing commands taken from external input should require far more scrutiny than it usually does, these moroffs just haven't gotten the message yet. They're not the only ones either, they're just the most recent to be discovered. It'll happen again and again and it won't matter what language they're using, Rust or otherwise, it's an overall skill issue. If anyone does read this they'll think that I'm saying the particular error here could have been checked by existing tools even though that's not what I'm saying, and they won't read this last sentence to see a clarification.
Little added info from him, just reading what is there - not really enjoying this but maybe there is a future video that explains more indepth things.
Is the vulnerability in firewalld ? That's what I use.
Good old telemetry to bite you in the backside.
Soooo. What are the other firewalls affected? Is that not what is alluded to with the title of the video? Other than the paloalto os', I didn't see any others listed...
I want to learn rust but I have no idea about memory management and rust has high learnig carve but I know python.
Hey man you should get some more light on your face and lower the ISO, it'll look better!
Can you please do a video on golang?
Not again...
Palo alto, cisco, fortinet all get exploited all the time. Nothing new imo
I don't give a fuck how popular they are why tthe fuck is telemetry on by default?! This isn't fucking Windows, this is my god damn firewall, I haven't even gotten to the point where I need a standalone firewall, but if they're phoning home by default they can kiss me as a customer goodbye
One thing to be aware of this is also likely affecting the Prisma access SASE devides hosted by Palo Alto as they are just VM series NGFW under the hood.
I've seen some people diss telemetry, but in some cases it can be a really great tool. Telemetry doesn't always mean someone selling your data to ad companies.
In this case, off the top of my head, that telemetry can be used to identify ongoing attempts to bypass security. Then because of telemetry, they can see it happen across the entire US and send out an advisory.
Or it can be used to identify behaviour in the past that may have been indicative of a hack in situations where a 0 day with a specific signature is discovered.
it might have a different name ?
sharing IDS logs ?
Mmm... It makes me wonder, because telemetry in the windows sense would not provide an open port on the unsafe side of the firewall... It'd just connect directly to Palo Alto's servers and not provide an angle for arbitrary remote bad actors to get in.
So this means it is either meant for the net admins to access data on their firewall remotely (which if you have any real security needs you should disable that and make it accessible LAN-side or VPN-side only), or... It's a backdoor for Palo Alto to use to get in, which might have a legitimate business use (helping unskilled admins configure their firewall), but it's also something any good admin who has half a clue what they're doing should turn off, specifically because of how much it increases your attack surface. Either of these are pretty similar to just allowing remote logins on a direct connection. Now, it's been a while since I used Palo Alto, so I don't remember if their firewalls had such features off the top of my head, but I know for sure the secure environment I was working in would have them disabled. But not every business *needs* a rigid security posture... And a lot will readily compromise security for ease of use, like... Paying Palo Alto themselves to configure a fire wall instead of paying an ongoing employee with enough skill to do more than the most basic daily admin tasks themselves.
I've actually worked at a place that was *frustrated* by me having a similar skill level to the people on the expensive remote management contract they were paying for, and I got dressed down for fixing things myself instead of calling them and twiddling my thumbs while on hold.
@@psiah9889It’s becoming increasingly more prevalent to see people not being allowed to work on the things that they have for their own organization. We go through the same thing here and it’s so frustrating knowing we can fix it, yet we’re on a multiple day wait for the company to get back with us to fix something
It should not be enabled on a firewall. A firewall is a device where security is very important, so minimizing the attack surface of the software running on it is important. Telemetry is a part of the application that is interacts with the network, which increases the attack surface and potential for vulnerabilities. Telemetry is not the same thing as logging and isn't necessary.
vulnerability in device telemetry. lol
Rust, exploited rust?
Rust is just cpp if the compiler was a total Karen
It was fine. As long as excel.exe don't get out.
POTUS sponsored rust-o-meter lol
I'm really searching for this. ❤❤
Great work bro 👏
People have proven capable of writing exploitable code on pretty much any language, be it memory safe or not. Why do you think languages such as Rust with a way more complex syntax and use will suddenly make things better? The only change I see is type of mistakes being made. Command injection is for scripts, they are memory safe, and yet we have 10 out of 10 score. Get my point?
"Command injection is for scripts" no