Well, I guess you can add Palo Alto to the list of never trust...

Sky-Knight · Nov 11, 2021

Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating

Palo Alto Networks patches critical buffer overflow bug in its GlobalProtect VPN.

arstechnica.com

Because not only did they not patch a massive security problem for a year, but they abused it to sell their premiums support services.

SAFCasper · Nov 12, 2021

Palo Alto aren't to blame here if you read again. It was an external security company, Randori, who discovered and abused the vulnerability for 12 months.

Palo Alto were only made aware of the full exploit last month and patched it soon after.

2020-10-26: Randori began initial research on GlobalProtect.
2020-11-19: Randori discovered the buffer overflow vulnerability.
2020-11-20: Randori discovered the HTTP smuggling capability.
2020-12-01: Randori began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.
2021-09-22: The buffer overflow vulnerability was disclosed by Randori to PAN.
2021-10-11: The HTTP smuggling capability was disclosed by Randori to PAN.
2021-11-10: PAN released patches and a security bulletin assigning the vulnerability CVE-2021-3064.
2021-11-10: This report was published.

Timeline taken from Randori's own breakdown - https://www.randori.com/blog/cve-2021-3064/

Sky-Knight · Nov 12, 2021

@SAFCasper Yeah I missed that, for some reason I thought Randori was related to Palo Alto. They aren't.

Darned weasels...

Well, I guess you can add Palo Alto to the list of never trust...

Sky-Knight

Well-Known Member

Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating

SAFCasper

Well-Known Member

Sky-Knight

Well-Known Member

Similar threads