How does vulnerability scoring (severity) is determined by Palo Alto networks?
17167
Created On 02/11/22 17:55 PM - Last Modified 12/15/22 00:07 AM
Question
How do PaloAlto Networks categorize threat severity?
Environment
- Palo Alto Firewalls and Panorama.
- PAN-OS 8.1 and above.
- Threat Signature.
Answer
- Signature severity is typically determined by the combination of considerations including the CVSS score and other factors. CVSS score plays a big consideration.
- Palo Alto networks do their own own analysis of the vulnerabilities.
- The analysis is based on how easy it is to exploit the vulnerability, the impact on vulnerability, the pervasiveness of the vulnerable product, the impact of the vulnerability, and more.
- CRITICAL severity:
- When vulnerability affects default installations of very widely deployed software and the exploits can result in root compromised. The CVE score is very high.
- The exploit code( information about how to exploit the system code, methods, Proof of concept(POC)) is widely available and easy to exploit.
- The attacker doesn't need any special authentication credentials, knowledge about individual victims, any social engineer.
- High severity:
- A vulnerability that has all characteristics for being CRITICAL but these are difficult to exploit,
- Doesn't result in root access, or elevated privileges, victim pool is limited, need social engineering.
- HIGH vulnerabilities where the mitigating factor arises from a lack of technical exploit details will become CRITICAL if these details are later made available.
- Thus, the paranoid administrator will want to treat such HIGH vulnerabilities as CRITICAL, if it is assumed that attackers always possess the necessary exploit information.
- Medium severity:
- When exploitation provides very limited access to the victim's system, can mitigate easily,
- Require an attacker to reside on the same local network as a victim, social engineer individual victims, and only affect nonstandard configurations or obscure applications.
- LOW severity:
- Vulnerabilities by themselves have very little impact on an organization's infrastructure.
- These types of vulnerabilities usually require local or physical system access or may often result in client-side privacy or denial of service issues and information leakage of organizational structure, system configuration and versions, or network topology.
- Another type of low signature may indicate traffic that is necessary for attacking a server, such as Microsoft RPC Endpoint Mapper.
- In order to successfully attack Microsoft RPC vulnerabilities, an attack must first query an RPC endpoint first.
- INFORMATIONAL severity:
- Vulnerabilities may not actually be vulnerabilities, but rather suspicious events that are reported to call attention to security professionals that deeper problems could possibly exist.
Additional Information
The CVSS scoring for Prisma cloud can be found here.
Example:
CVSS BASE SCORE | PRISMA CLOUD SEVERITY |
---|---|
0.0 - 3.9 | Low |
4.0 - 6.9 | Medium |
7.0 - 8.9 | High |
9.0 -10.0 | Critical |