Category Archives: Security

Palo Alto zero-day (CVE-2021-3064) used for a year by Randori before disclosure

This timeline is published by Randori itself, disclosing “authorized use” of a zero-day in Palo Alto products.

  • 2020-10-26: Randori began initial research on GlobalProtect.
  • 2020-11-19: Randori discovered the buffer overflow vulnerability.
  • 2020-11-20: Randori discovered the HTTP smuggling capability.
  • 2020-12-01: Randori began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.
  • 2021-09-22: The buffer overflow vulnerability was disclosed by Randori to PAN.
  • 2021-10-11: The HTTP smuggling capability was disclosed by Randori to PAN.
  • 2021-11-10: PAN released patches and a security bulletin assigning the vulnerability CVE-2021-3064.
  • 2021-11-10: This report was published.
Source: Randori

CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. The problematic code is not reachable externally without utilizing an HTTP smuggling technique. Exploitation of these together yields remote code execution under the privileges of the affected component on the firewall device. The smuggling capability was not designated a CVE identifier as it is not considered a security boundary by the affected vendor. In order to exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (default port 443). As the affected product is a VPN portal, this port is often accessible over the Internet.

What does this mean? While it’s tempting to focus on the ethics of Palo Alto for “authorizing” behavior, or for the ethics of that behavior… the reality on the ground is Randori has painted a very large target on themselves as a suspicious repository of zero-day information.

In related news of very large targets, even though this sounds like a headline from a decade ago, Sky admits just now that it left 6 million consumer network devices vulnerable for 1.5 years.

…researchers say it took Sky 18 months to address. The vulnerability could have affected anyone who had not changed the router’s default admin password.

The BBC headline really should have been “The Sky is failing” as in Sky was “failing to meet numerous deadlines they set themselves”.

How Gaining Knowledge Violates the U.S. First Amendment

Here is an excellent lecture by legal scholar Robert C. Post on why speech must be regulated for an environment to encourage free speech.

Research, Post said, is ultimately based in the notion that not everyone has equal knowledge of a given topic and that expert knowledge is created through disciplinary study. “When we are talking about university research and expanding knowledge, it is resting on a disciplinary hierarchy, which is exactly opposite of the democratic equality on which freedom of speech rests,” he said.

Therefore, in order to perform research and to advance it, he said, universities must discriminate on content, make judgments that some ideas are better than others and compel professors and researchers to speak in order to communicate their knowledge. Though these actions further the mission of a university, he said, they violate the rules of the First Amendment.

In other words (pun not intended) improving knowledge using a process of evaluation with measured results, where some inputs can be judged by an authorized process, violates a political framework designed to maintain power (rights) of ignorance.

This is hardly different than saying a moving environment should be regulated based on science of physics (e.g. dismissing the political controversy about seat belts given basic economics of safety) for society to be more physically safe.

Post continues:

“Any teacher knows that students who are threatened or assaulted don’t listen,” he said. “They don’t learn. So you have to create the conditions under which learning is possible, and you have to regulate the speech in order to advance that goal.” Again, he said, these requirements of good teaching and learning necessarily violate the rules of the First Amendment.

Related:

Mapping Genocide in California

A while ago I wrote about Stanford’s role in genocide, as well as Polk.

The California Historical Society has a webinar coming up on November 30th with more details: “Truth & Resistance: Mapping American Indian Genocide in San Francisco”

The American Indian Cultural District (AICD) in San Francisco is undertaking a project called Mapping Genocide to examine the intentional erasure of American Indian history and contributions. AICD’s Co-founder and Executive Director Sharaya Souza (Taos Pueblo, Ute, Kiowa) and Director of Community Development & Partnerships Paloma Flores (Pit River, Purhepecha) will discuss some of the individuals San Francisco has chosen to honor and their role in American Indian genocide. The panelists will also talk about how you can help create resistance against the systemic erasure of American Indian history throughout San Francisco.