Safe Boot Bypass and Firmware Exploits Found in Palo Alto Firewalls

Jan 23, 2025Ravie LakshmananFirmware Security / Risk

A thorough examination of three firewall designs from Palo Alto Networks has revealed a number of known security flaws that affect the products ‘ device as well as misconfigured safety features.

” These weren’t mysterious, corner-case threats”, security contractor Eclypsium in a statement shared with The Hacker News.

” Rather these were very well-known issues that we wouldn’t expect to see even on a consumer-grade computer. These issues may help attackers to dodge even the most simple dignity protections, such as Secure Boot, and change device bios if exploited”.

]embedded information]

The company said it analyzed three network equipment from Palo Alto Networks, PA-3260, PA-1410, and PA-415, the first of which actually end-of-sale on August 31, 2023. The firewall platforms that are supported by the other two models are completely.

The list of identified flaws, cooperatively named PANdora’s Box, is as follows-

    CVE-2020-10713 aka BootHole ( Affects PA-3260, PA-1410, and PA-415 ), refers to a buffer overflow vulnerability that allows for a Secure Boot bypass on Linux systems with the feature enabled

  • ( Affects PA-3260 ), which refers to a set of System Management Mode ( SMM) vulnerabilities affecting Insyde Software’s InsydeH2O UEFI firmware that could lead to privilege escalation and Secure Boot bypass
  • A set of crucial vulnerabilities were discovered in the Unified Extensible Firmware Interface ( UEFI ) code ( Affects PA-3260 ), which allows users to bypass Secure Boot and execute malicious code when the system is running.
  • ( Affects PA-1410 and PA-415 ), which refers to a number of vulnerabilities in the UEFI reference implementation’s TCP/IP network protocol stack that could cause code execution and information disclosure.
  • A case of misconfigured SPI flash access controls that could allow an attacker to modify UEFI directly and bypass other security mechanisms ( Affects PA-415 ), which refers to an unsecure flash access control vulnerability.
  • ( Affects PA-415 ), which refers to an out-of-bounds write vulnerability in the Trusted Platform Module ( TPM) 2.0 reference library specification
  • bypasses the Intel bootguard’s PA-1410 leaked keys ( Affects ).

These findings “underline a crucial truth: if not properly secured and maintained, yet products designed to protect may turn into vectors for strike,” Eclypsium said. Organizations must adopt a more comprehensive approach to provide network security as hazard players continue to target safety equipment.

” This includes comprehensive vendor assessments, standard device updates, and constant device integrity monitoring. Companies can better defend their networks and data from powerful attacks that use the tools that were intended to protect them by understanding and addressing these invisible vulnerabilities.

Update

When The Hacker News reached Palo Alto Networks for comment, the following affirmation appeared in the statement.

Our top goal is the safety of our clients. Several recent studies from Eclypsium have been published that point to possible risks that might affect some of our Next Generation Firewall goods.

This ability frailty was evaluated by the Palo Alto Networks Product Security Incident Response Team. It determined that the conditions needed for effective abuse do not apply to up-to-date PAN-OS software under normal circumstances and with secured management interface deployments in accordance with best practice recommendations. Palo Alto Networks is hardly conscious of any unauthorized use of these problems. Our systems is of the highest caliber and dignity.

Customers or administrators of PAN-OS applications are not able to use these vulnerabilities, but we are working with the third-party contractor to create any necessary mitigations. As more information and guidance become accessible, we will send impacted customers.

In a separate expert, Palo Alto Networks added that an attacker must first deal PAN-OS software using alternative means and gain additional rights to access or change the BIOS firmware before using one of the above vulnerabilities. Additionally, it added that upgrading to the most recent supported types significantly reduces the risk.

However, the company acknowledged it’s working with third-party contractors to develop firmware updates for the six risks flagged in InsydeH2O UEFI device that may be needed for PA-3200 line, PA-5200 set and PA-7200 set with Switch Management Card ( SMC-B) installed.

( The article was updated after publication to include a response from Palo Alto Networks. )

Found this post interesting? Follow us on and Twitter to access more unique content we article.

DNS checker

Leave a Comment