The reveal of a critical vulnerability, rated as 9.8 out of 10, affecting Palo Alto Networks firewall appliances with the GlobalProtect Portal VPN enabled, is creating controversy in the security industry as it appears one vendor used it for close to a year for "Red Team" penetration testing before disclosing it to the vendor.
Security vendor Randori developed a working exploit for the CVE-2021-3064 flaw that affects multiple versions of PAN-OS that runs the firewalls in question, leaving over 10,000 of the internet-facing devices exposed to exploitation by attackers.
Randori says it started researching the GlobalProtect Portal VPN in October last year, and found a buffer overflow bug and a method of bypassing validations by an external web server called HTTP smuggling.
In December 2020, Randori says it began "authorised use of the vulnerability chain" as part of its automated Red Team attack platform.
It wasn't until September and October this year, however, that Randori disclosed the buffer overflow and HTTP smuggling bugs to Palo Alto Networks, which assigned a Common Vulnerabilities and Exposures identifier to the flaws.
Palo Alto Networks issued patches the following month, but Randori has yet to explain why it took some nine months to report the vulnerabilities to the vendor.
The infosec community was initially appalled at the long period of time before Randori disclosed the vulnerability to Palo Alto Networks, questioning the ethics of doing so while using the flaw as part of its Red Team consultancy.
I can't stop thinking about this, @RandoriAttack can you help me understand the logic behind finding a vuln, sitting on it AND exploiting your red team customers with it for almost a year before disclosing it to the vendor? I assume I'm missing a perspective here and I'm curious. https://t.co/ifz3nnoqI5— jayjacobs (@jayjacobs) November 10, 2021
It now appears that Palo Alto Networks fixed the bug quietly in September last year but whether or not that was intentional is not clear.
Palo Alto Networks has not yet explained why it assigned a CVE only this year to the bug, and issued official patches for it.