topic Re: Global Protect - Redirection via Arbitrary Host Header Manipulation in GlobalProtect Discussions

Global Protect - Redirection via Arbitrary Host Header Manipulation

Arachen — Fri, 22 Sep 2023 09:06:19 GMT

Having ran a PCI DSS compliance scan it has come back that our Global Protect VPN setup is flagged as a failing vulnerability for Redirection via Arbitrary Host Header Manipulation.

We have it setup to redirect to azure to authenticate account details.

The solution they have given us to fix the issue is;

Implementing proper validation and sanitization of input headers is essential to mitigate the risks of Host header injection.
Whitelist domains, only allow permitted domains to be included in Host header.

How do we go about implementing this.

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

SturgisIT — Tue, 26 Sep 2023 14:32:50 GMT

Ours doesn't even redirect that far out. It merely redirects HTTP to HTTPS for local authentication in order to view the links to download the GlobalProtect client(s). One very unclear recommendation I saw a month or two back was to filter (deny) HTTP traffic (with no other details) but this seemed like a great way to break legitimate traffic for end users if not implemented correctly.

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

AustinJohnson — Fri, 29 Sep 2023 17:34:20 GMT

Hi Arachen,

I just ran a scan and received the exact same result as you. Everything passed except for the issue you're seeing as well. Were you ever able to figure out a fix for this issue?

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

MatthewFrank — Wed, 18 Oct 2023 16:30:14 GMT

We are having the same issue with our PCI compliance scans for credit card processing. We do this quarterly and it just started failing this time so I guess the compliance scans are now flagging this. I's not enough to disable the portal landing page. A redirect to a non-existent page still occurs and that is what is being flagged.

We tried explicitly blocking the redirect page, but the redirect still occurs. This seems like something Palo Alto needs to address if they have not already. We have a support case open so we'll see if someone has an answer.

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

janelle.provine — Thu, 19 Oct 2023 11:56:52 GMT

Was a resolution found to this issue?

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

SturgisIT — Fri, 20 Oct 2023 15:10:10 GMT

No fix that I'm aware of. I am raising a false positive report with PCI Assure which is the vendor I have to deal with and am looping them in on this forum post within that.

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

SturgisIT — Fri, 20 Oct 2023 15:48:27 GMT

Case # 02750366 submitted to support as I've had to take time out for this issue far too many times now.

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

UtkarshKumar — Mon, 30 Oct 2023 18:53:28 GMT

Hello Team, Is there any update from TAC on this we are seeing a similar issue.

Re: Global Protect - Redirection via Arbitrary Host Header Manipulation

SturgisIT — Tue, 07 Nov 2023 16:04:27 GMT

It appears support has attempted to call me several times but the call is not being accepted/connected. That probably is not a PA issue however, as we've had many problems with our hosted VoIP provider. Still, my ticket detail references this community discussion topic with a direct link to it and specifically asks, "If you would, please respond to this post with directions on how to block HTTP requests ONLY for the GlobalProtect portal."

It would be nice for all if support could provide a guide here on how to work around this.