Here’s a summary from A Letter to Palo Alto Networks Employees and Customers:
- Vulnerabilities in several intrusion detection products were reported by The SANS Institute 3 years ago in a white paper called Beating the IPS, including those sold by Palo Alto Networks.
- A few weeks ago, NetSecVulns published a video showing Palo Alto Networks gateways are still susceptible to these flaws. (Note: This video is now private)
- Rather than acknowledge the issue, Palo Alto Networks had their representatives send out emails to their customers claiming Check Point was cheating and misleading about the issue.
- After providing a test bed demonstrating the vulnerability in action to Palo Alto Networks, a representative finally acknowledged the issue and promised to develop a fix.
- Claims from Palo Alto Networks representatives that Check Point is cheating and misleading about the issue continue, despite receiving concrete proof to the contrary.
The issue is a little more nuanced than this of course, so I recommend reading the piece by Moti Sagey on LinkedIn. That said, I have a couple questions of my own:
- Previously unknown long-time vulnerabilities such as those recently discovered in some of Juniper’s legacy products are one thing. How can a company sit on widely reported security issues for three years and not do anything to fix them or even publicly acknowledge them? We can argue about the length of time that is acceptable per responsible disclosure guidelines, or whether the issue was responsibly disclosed in this case. I’ve yet to find any information security professional who thinks three years is reasonable, particularly when the issues are this widely known.
- How can a company require so many manual steps to configure their security gateways to be resilient against evasions? Imagine having to perform these steps on firewalls across your enterprise, not to mention tracking continued compliance with these best practices.
- If this hasn’t been an issue all along, how come there is no public statement from Palo Alto Networks like there was for the Firestorm issue? Which is, by the way, still a potential issue, but PAN at least responded saying they don’t believe it is.
- If you received—or worse, had to deliver—the communication from Palo Alto Networks about this Evader issue that has been proven false, how does that make you feel about Palo Alto Networks as an organization?
Disclaimer: I don’t know what Check Point’s formal stance on this issue is, I didn’t ask. These are my own thoughts.