https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572899#M115252 <P>And if you have changed master key then don't forget to update it before it expires otherwise you need to reset your firewall to factory default.</P> <P>&nbsp;</P> <P>"You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings."</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/certificate-management/configure-the-master-key" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/certificate-management/configure-the-master-key</A></P> <P>&nbsp;</P> Fri, 12 Jan 2024 19:22:51 GMT Raido_Rattameister 2024-01-12T19:22:51Z https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/510683#M106246 <DIV class=""> <DIV class=""> <DIV class="" dir="auto" lang="en" data-testid="tweetText"><SPAN class=""><SPAN class="">Hello All,</SPAN></SPAN> <DIV class="" dir="auto" lang="en" data-testid="tweetText"><SPAN class=""><SPAN class="">I saw the below on twitter...</SPAN></SPAN> <DIV class="" dir="auto" lang="en" data-testid="tweetText">&nbsp; <DIV id="id__aqcmba5pktc" class="" dir="auto" lang="en" data-testid="tweetText"><SPAN class=""><SPAN class="">I wrote a tool to check master key configuration on palo alto firewalls and so far I haven't run into any instances of people actually changing the master key from p1a2l3o4a5l6t7o8</SPAN></SPAN> <DIV class=""> <DIV id="id__uzystzbk8ie" class="" aria-labelledby="id__b1z0w7she49 id__1wsc8q1jrc4"> <DIV id="id__1wsc8q1jrc4" class="" aria-labelledby="id__21vjx3gtuz4 id__wreki4s381s" data-testid="card.wrapper"> <DIV id="id__21vjx3gtuz4" class="" aria-hidden="true" data-testid="card.layoutLarge.media"> <DIV class=""> <DIV class="">&nbsp; <DIV class=""> <DIV class="" aria-label=""> <DIV class="">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1659529373594.png"><img /></span>&nbsp; <DIV id="id__wreki4s381s" class=""> <DIV class="" data-testid="card.layoutLarge.detail"> <DIV class="" dir="auto"><SPAN class=""><SPAN class="">gist.github.com</SPAN></SPAN> <DIV class="" dir="auto"><SPAN class=""><SPAN class="">check if a PAN firewall is using the default master key when globalprotect is enabled</SPAN></SPAN> <DIV class="" dir="auto"><SPAN class="">check if a PAN firewall is using the default master key when globalprotect is enabled - checkmk.py</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1659529373594.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42755i865F0599DCA8E3B7/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_0-1659529373594.png" alt="OtakarKlier_0-1659529373594.png" /></span></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 03 Aug 2022 12:29:20 GMT https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/510683#M106246 OtakarKlier 2022-08-03T12:29:20Z https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/510751#M106255 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a> ,</P> <P>&nbsp;</P> <P>Thanks for sharing this.</P> <P>Adding the direct link from github:</P> <P><A href="https://gist.github.com/rqu1/6175cb2972291fc9ac96ef18f72b792c" target="_blank">https://gist.github.com/rqu1/6175cb2972291fc9ac96ef18f72b792c</A></P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 04 Aug 2022 09:03:34 GMT https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/510751#M106255 kiwi 2022-08-04T09:03:34Z https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/511751#M106365 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;,</P> <P>Also changing the master key does not require a reboot so it can be done at anytime. Just remember to add it to your password manager, if lost you'll need a factory reset the device :(.</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 12 Aug 2022 17:23:20 GMT https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/511751#M106365 OtakarKlier 2022-08-12T17:23:20Z https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572586#M115213 <P>This is old but got bubbled back up for me. Did we find out if this was the master key?&nbsp;</P> <P>&nbsp;</P> <P>Also, do we know if any PAN-OS update change the master key?</P> Wed, 10 Jan 2024 17:35:26 GMT https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572586#M115213 Usama-Ahmed 2024-01-10T17:35:26Z https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572886#M115250 <P>Hello,</P> <P>You must change the master key manually. Also make sure to back it up.</P> <P>Regards,</P> Fri, 12 Jan 2024 17:52:35 GMT https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572886#M115250 OtakarKlier 2024-01-12T17:52:35Z https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572899#M115252 <P>And if you have changed master key then don't forget to update it before it expires otherwise you need to reset your firewall to factory default.</P> <P>&nbsp;</P> <P>"You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings."</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/certificate-management/configure-the-master-key" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/certificate-management/configure-the-master-key</A></P> <P>&nbsp;</P> Fri, 12 Jan 2024 19:22:51 GMT https://live.paloaltonetworks.com/t5/general-topics/new-rce-on-globalprotect-if-you-didnt-change-the-master-key/m-p/572899#M115252 Raido_Rattameister 2024-01-12T19:22:51Z