firewall

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability. PAN-OS is an operating system for Palo Alto Networks firewalls and security platforms. User-ID™ Authentication Portal (also known as Captive Portal) is a non-default PAN-OS feature used to map IP addresses to usernames. By exploiting a buffer overflow vulnerability (CWE-787), an unauthenticated remote attacker can send specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected device. No authentication or user interaction is required. If the vulnerability is successfully exploited, the attacker gains full control over network traffic: they can intercept, modify, or block connections, access sensitive data, bypass security policies, hide traces of compromise, install backdoors, and use the device as a foothold for attacks on internal infrastructure.

⚙️ The vendor security advisory was published on May 6. PA-Series and VM-Series firewalls are affected. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability. Security updates for affected devices became available on May 13. As a workaround, the vendor recommended restricting User-ID™ Authentication Portal access to only trusted internal zones or disabling the User-ID™ Authentication Portal entirely if it is not required.

👾 On the same day, May 6, researchers from Palo Alto Networks Unit 42 published a report on active exploitation of the vulnerability in the wild. Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and systematic destruction of logs and other evidence of compromise. On the same day, the vulnerability was added to the CISA KEV catalog.

🛠 A public exploit was also published on GitHub on May 6.

🌐 PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. As of June 5, Shodan identifies approximately 135,755 internet-facing PAN-OS instances, representing a significant attack surface.

Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk. In the previous post, I was writing about Asset Inventory and Vulnerability Scanning on the Network Perimeter. Now it’s time to write about the Internal Network.

Typical IT-infrastructure of a large organization

I see a typical IT-infrastructure of a large organization as monstrous favela, like Kowloon Walled City in Hong Kong. At the beginning it was probably wisely designed, but for years it was highly effected by spontaneous development processes in various projects as well as multiple acquisitions. And now very few people in the organization really understand how it all works and who owns each peace.

There is a common belief that we can use Active Network Scanning for Asset Inventory in the organization. Currently, I’m not a big fan of this approach, and I will try to explain here the disadvantages of this method and mention some alternatives.

Continue reading →

What’s new in Gartner WAF Magic Quadrant 2017? To tell the truth, I was not much interested in Web Application Firewall market since the time when I was doing competitive analysis in Positive Technologies. And a few days ago Gartner published a fresh WAF research with interesting Magic Quadrants. I decided to figure out what’s new there.

Here you can download full Gartner WAF MQ 2017 report for free. Thanks to Positive Technologies for such an opportunity!

First of all, let’s look at the illustrations. I took the Magic Quadrant from this year’s report:

Gartner Magic Quadrant WAF 2017

And for comparison from 2014 and 2015 reports:

Gartner Magic Quadrant WAF 2014 and 2015.

The first thing that caught my eye was Akamai in the leaders! And apparently this will be the main message.

Continue reading →

Nessus Manager and Agents. In this post I would like to share my experience with Tenable Nessus Manager. And especially how to manage agented scans with it.

Nessus Manager and Agents

First of all, I will, once again, briefly describe main editions of Nessus vulnerability management solution. Three of them, that you can deploy in your infrastructure, and one is cloud based (Nessus Cloud).

It’s of course well known Nessus Home edition, that is free for home users. Nessus Home is strictly limited by amount of IP addresses you can scan. If you try to use it in some commercial environment you might have some problems with Tenable. But for scanning some home servers and desktops, or perhaps study how vulnerability scanners work it is a really great option. You can get home license automatically after filling the registration form. I described how to register Nessus Home, configure and use it in my earlier post.

The other Nessus Professional edition is for cybersecurity professionals/individuals, who may use this product for security assessment. It is most popular version of Nessus. There is no limit in IP addresses, so you can purchase one license for Nessus Professional scanner and theoretically scan everything in your organization. The cost of the scanner is just about $2,000. Very reasonable price comparing with other competitors. It also supports multiple user accounts.

If Nessus professional does such a beautiful job, why should anybody want something else? The answer is managing multiple connected vulnerability scanners and local agents. You can configure another edition, Nessus Manager, to run scan tasks from remote connected Nessus Professional scanners. You can also configure Nessus Manager to run audit and compliance scan tasks with locally installed Nessus agents. And it is the only way to do it. Even if you’ve already purchased some expensive Enterprise Vulnerability Management product from Tenable, such as Tenable Security Center or Tenable Security Center Continuous View you still will need to pay extra ~$3,000 – $5,000 for Nessus Manager if you want to use local agents.

Nessus Cloud is like Nessus Manager but it is hosted on remote Tenable servers.

Why may you need to use local agents for scanning? The most of obvious reasons is that in this case you won’t need to manage accounts for authenticated scan. You can also check how Qualys made Agented Scanning and compare it with Tenable approach bellow.

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: firewall

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability

Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk

What's new in Gartner WAF Magic Quadrant 2017?

Nessus Manager and Agents