https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/198922#M59011 <P>Hello Geeks,</P><P>&nbsp;</P><P>During our compliance scanning (PCI-DSS External Scanning) process on our paloalto 3020 firewalls, the scanner found new vulnerability, "CWE-693 : Protection Mechanism Failure" and suggested to fix it ASAP to comply. Hence, I started googling to solve this issues and found no useful solutions for this yet. Is there any way to solve this issue and I am sure that every organization trying to comply with PCIDSS external scanning process are facing this issue now. Really appreciate for your kind suggestions and help.</P><P>&nbsp;</P><P>Best Regards,</P><P>Wai Yan Phyo</P> Tue, 06 Feb 2018 03:38:32 GMT Wayne88 2018-02-06T03:38:32Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/198922#M59011 <P>Hello Geeks,</P><P>&nbsp;</P><P>During our compliance scanning (PCI-DSS External Scanning) process on our paloalto 3020 firewalls, the scanner found new vulnerability, "CWE-693 : Protection Mechanism Failure" and suggested to fix it ASAP to comply. Hence, I started googling to solve this issues and found no useful solutions for this yet. Is there any way to solve this issue and I am sure that every organization trying to comply with PCIDSS external scanning process are facing this issue now. Really appreciate for your kind suggestions and help.</P><P>&nbsp;</P><P>Best Regards,</P><P>Wai Yan Phyo</P> Tue, 06 Feb 2018 03:38:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/198922#M59011 Wayne88 2018-02-06T03:38:32Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/198988#M59018 <P>Does the scan provide a subdivision of detected failures?</P> <P>&nbsp;</P> <P>the CWE seems to be an extremely broad statement that can't be addressed in itself (besides pulling the plug)</P> <P>&nbsp;</P> <P>Did you scan the management interface or a dataplane management profile, have you got weak services enabled (telnet, http, ..) maybe ?</P> Tue, 06 Feb 2018 10:46:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/198988#M59018 reaper 2018-02-06T10:46:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199205#M59059 <P>&nbsp;</P><P>Hi Reaper,</P><P>&nbsp;</P><P>Thanks for your kind response.</P><P>&nbsp;</P><P>The scanner provided the following HTTP headers are absent in our firewall.</P><P>X-XSS-Protection<BR />X-Frame-Options<BR />X-Content-Type-Options:<BR />Public-Key-Pins<BR />Strict-Transport-Security</P><P>&nbsp;</P><P>As this is external compliance scanning, the public-facing (external) interface was scanned and we didn't enable any insecure services like telnet and http.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Feb 2018 03:03:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199205#M59059 Wayne88 2018-02-07T03:03:42Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199255#M59067 <P>Is there a management profile enabled on your external interface?</P> <P>&nbsp;</P> <P>There are a couple of tips to improve security on your external interface:</P> <P>&nbsp;</P> <P>Don't run a management profile on it, use GlobalProtect instead to get to the internal network and connect from there. If this is not an option, enable an ACL on the management profile restricting access to only a select few management IPS</P> <P>&nbsp;</P> <P>If this was not a mgmt profile but GP portal/gateway, you can move the portal and gateway to a loopback interface so you can create a security profile to protect the portal/gw</P> <P>&nbsp;</P> <P>If this was a scan that hit a NAT rule (so a scan rerouted to an internal server), you'll need to review your internal server, but you can add a decryption policy with a decryption profile that enforces minimum protocol version and algorithms</P> Wed, 07 Feb 2018 09:48:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199255#M59067 reaper 2018-02-07T09:48:34Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199508#M59122 <P>- There is no management profile enabled on this external interface.&nbsp;</P><P>&nbsp;</P><P>- Yes, this is just used for GlobalProtect portal / gateway.&nbsp; We may consider to use it with a loopback and set security profiles on it as per your suggestions.</P><P>&nbsp;</P><P>- Apart from these secure protection on firewall, is there any other HTTP header protection which can be enabled on the firewall? I am asking that because the scanner would show the same unprotected vulnerability in the report after scanning&nbsp;due to the lack of&nbsp;its' suggested protection methods enabled on the firewall.</P><P>&nbsp;</P><P>- Only manual verification / testing would approve that the device is protecting itself from these mentioned risks. Also we are not sure if&nbsp;ASV would accept these secure and hardening ways as compensation control to mitigate this vulnerability.</P><P>&nbsp;</P><P>However, we really appreciate for your kind, patient and continuous suggestions and supports.</P><P>&nbsp;</P> Thu, 08 Feb 2018 05:00:59 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199508#M59122 Wayne88 2018-02-08T05:00:59Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199560#M59127 <P>The GP portal and gateway are already hardened but putting a security profile on top would block incoming scans or exploits for potentially vulnerable services before they hit the service itself.</P> <P>Legitimate connections where something is reported as missing would still come back, but an actual exploit will be blocked by the profile</P> <P>&nbsp;</P> <P>you could reach out to your local sales team to have a more thorough investigation of your configuration, they can run best practices and recommendations tools on your config and make more in-depth analysis of your situation and possibly provide better tailored mitigation advise</P> Thu, 08 Feb 2018 10:51:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/199560#M59127 reaper 2018-02-08T10:51:47Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/211407#M61682 <P>Having same issue, however i am getting this not on the GP interface but another. How did you solve this?</P> Mon, 23 Apr 2018 21:19:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/211407#M61682 sruddy 2018-04-23T21:19:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/211445#M61688 <P>Hi Sruddy,</P><P>&nbsp;</P><P>PA recommend to upgrdate to PAN OS 8.0.8 to mitigate this vulnerability. This upgrade will enable the following http headers in PA firewall.&nbsp;</P><P>&nbsp;</P><P><FONT color="black">X-XSS-Protection</FONT><FONT color="black"><BR />X-Content-Type-Options</FONT><FONT color="black"><BR />Content-Security-Policy</FONT></P><P>&nbsp;</P><P><FONT color="black">Thank you.</FONT></P><P>&nbsp;</P><P><FONT color="black">Best Regards,</FONT></P><P><FONT color="black">Wai Yan</FONT></P> Tue, 24 Apr 2018 06:52:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-solve-quot-cwe-693-protection-mechanism-failure-quot-in/m-p/211445#M61688 Wayne88 2018-04-24T06:52:55Z