A new CVE disclosure: IPS release timing, missing signatures, and default action, and if no PoC is found
Question
- What are the factors for a CVE to be a good candidate for a vulnerability signature?
- What is the approximate time for Palo Alto Networks to provide coverage for a newly published CVE?
- What is the default action for newly created vulnerability signatures?
- What is the next step if no PoC is found?
Environment
- PAN-OS
- Threat Prevention license
Answer
Question 1: What are the factors for a CVE to be a good candidate for a vulnerability signature?
Answer: The U.S. Department of Homeland Security(DHS) Cybersecurity Division and Infrastructure Security Agency(CISA) keeps records and gives the name(and ID) to Common Vulnerabilities and Exposures (CVEs).
Once a new CVE is published, Palo Alto Networks starts working to create a vulnerability signature to protect a CVE. There are three primary conditions to create a vulnerability signature as follows.
- A valid proof of concept(PoC) should be publicly available for Palo Alto Networks to create a vulnerability signature. The Palo Alto Networks content development team uses the PoC to recreate the vulnerability to create protection; no PoC means no signature. The absence of a signature does not necessarily indicate that your network is at risk. If no PoC is available, it may suggest that potential attackers are unaware of the vulnerability or do not possess the knowledge to exploit it.
- The attack vector of the vulnerability should be network-based rather than host-based (local), as firewalls can only detect and block network traffic. Malicious traffic cannot be detected or blocked if it does not pass through the firewall.
- CVSS (Common Vulnerability Scoring System) score: If a CVE severity is low and it is not popular, the Palo Alto Networks content development team may decide to skip it.
Question 2: What is the approximate time for Palo Alto Networks to provide the coverage for a newly published CVE?
Answer: Creating a single quality vulnerability signature goes through many phases, including researching, creation, soak testing, quality assurance, and tuning pre and post-release. It is tuned to cover every avenue of possible exploitation while avoiding creating a False Positive.
It depends on signature to signature; for critical exploits, we create a signature quickly and release it in an Emergency release out of the regular release.
Sometimes, the Palo Alto Networks content development team may decide not to create a vulnerability signature with an existing valid network-based PoC due to other factors, such as the CVSS score and the likelihood of not being used in an exploit.
Question 3: What is the default action for the newly created vulnerability signatures?
Answer: We set the default action as 'alert' for some time to observe. The action can be changed at a later time.
If you want to block traffic that matches the vulnerability signature with critical or high severity, you can create a vulnerability rule to override the default action based on severity. For more details, please refer to the following article.
Why a vulnerability signature action is set as "alert" while its severity is critical or high
Question 4: What is the next step if no PoC is found?
Answer: Once a CVE is published, we put this into Palo Alto Networks' internal vulnerability monitoring system, which monitors all available public/private sources automatically.
Once this system finds the available PoC, it sends a notification to the Palo Alto Networks content development team, and the team starts working on creating the signature if other conditions are matched.
In order to mitigate the risk while there's no signature coverage, please be advised to apply a security patch on an affected host if the vendor's patch is available.
Additional Information
- Before submitting a support case, review the below link to check if Palo Alto Networks already has a signature coverage or if the IoC can be covered on the Strata firewall devices. In addition, check to see if the PoC for a vulnerability is valid and publically accessible
Link: How to check the IoC coverage for Malware or Vulnerabilities prior to raising a support case