Info about the vulnerabilities and the possible remediations for them.

A_Adamski — Fri, 27 Oct 2023 14:45:49 GMT

Dear All,

I hope you could help me with the query I could not find answer.

The customer is asking for the remediation of the detected vulnerabilities, which I've already researched and found some info about that I've grouped below:

Client Side Testing - OTG-CLIENT-004 - Testing for Client Side URL Redirect
------------------------------------------------------------------------------------------------------------------------
[P3: Medium] OTG-CLIENT-004: External redirect via host header injection.
*I found the below conversations form the Live community about it:
Global Protect - Redirection via Arbitrary Host Header Manipulation
GlobalProtect Qualys: 150307 External Service interaction via Host Header Injection
------------------------------------------------------------------------------------------------------------------------

Cryptography - OTG-CRYPST-001 - Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
------------------------------------------------------------------------------------------------------------------------
[P4: Low] OTG-CRYPST-001: Secure renegotiation not supported.
*As per my checks there ware actually 2 FRs for this feature in the past:
FR ID: 8112 (support for secure renegotiation / inbound SSL decrypt and GlobalProtect )
FR ID: 18516 (Support for RFC 5746 )

*And to fix this it's required to remove weak ciphers from CLI, and use the newest PAN-OS (10.2.5) version that should now support renegotiation:
As per: PAN-OS 10.2.5 Addressed Issues
PAN-184630 - Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Or we can refer to the KB: How to disable medium strength SSL ciphers for SSL/TLS Service Profile on Firewall

[P4: Low] OTG-CRYPST-001: Elliptic curves offered with insufficient level of security.
*And this article provides information on how to harden the SSH service running on the management interface by disabling weak ciphers and weak key (key exchange) algorithms
How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

[P4: Low] OTG-CRYPST-001: Server potentially vulnerable to LUCKY13 attack.
[P4: Low] OTG-CRYPST-001: Insecure digital certificates - chain of trust.
missing info about remediation for last two vulnerabilities
------------------------------------------------------------------------------------------------------------------------

Configuration and Deploy Management Testing - OTG-CONFIG-001 Test Network/Infrastructure Configuration
------------------------------------------------------------------------------------------------------------------------
[P4: Low] OTG-CONFIG-001: Missing X-Permitted-Cross-Domain-Policies security header.
[P4: Low] OTG-CONFIG-001: Insecure HTTP header - X-XSS-Protection.
[P4: Low] OTG-CONFIG-001: Missing Referrer-Policy security header.
[P4: Low] OTG-CONFIG-001: Unsafe Content-Security-Policy security header configuration.
missing info about remediation
------------------------------------------------------------------------------------------------------------------------

Session Management Testing - OTG-SESS-002 - Testing for Cookies attributes
------------------------------------------------------------------------------------------------------------------------
[P5: Informational] OTG-SESS-002: Duplicate cookies set.
missing info about remediation
------------------------------------------------------------------------------------------------------------------------

Could anyone please advise in regards to vulnerabilities I have no info about, and the possible remediation, or point to some documentation about the same.

I will appreciate your help and guidance in regards to the vulnerabilities I've listed above.

Thank you in advance!

Cheers!

Re: Info about the vulnerabilities and the possible remediations for them.

A_Adamski — Mon, 13 Nov 2023 11:15:23 GMT

To keep you posted.

Following the PAN-OS firmware update to version 10.2.5 and the completion of a "PENTEST," vulnerabilities with P3 and P5 priority have been successfully resolved.

Only vulnerabilities categorized as P4 remain. Above is a screenshot outlining the remaining vulnerabilities.

As the newer PAN-OS version is now recommended we will try to upgrade the software to version 10.2.6 and see if this will help.
We want also to verify that the newest content updates are installed on the firewall.

But could anyone maybe advise in regards to vulnerabilities, and the possible remediation, or point to some documentation about the same.

I will appreciate your help and guidance in regards to the vulnerabilities I've listed above.

Thank you in advance!

Cheers!

topic Info about the vulnerabilities and the possible remediations for them. in Next-Generation Firewall Discussions

Info about the vulnerabilities and the possible remediations for them.

Re: Info about the vulnerabilities and the possible remediations for them.