How to fix this vulnerability in palo alto?

Reply
L2 Linker

How to fix this vulnerability in palo alto?

Hi,

 

Please help to resolve the following vulnerability


Vulnerabilities :
1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

Thanks in advance

L7 Applicator

Re: How to fix this vulnerability in palo alto?

@karthikeyanB,

Any additional information here would be great, such as what interface you were scanning (MGMT, GlobalProtect Portal)? 

L2 Linker

Re: How to fix this vulnerability in palo alto?

Management

L3 Networker

Re: How to fix this vulnerability in palo alto?

Hi Team,

 

Could you help us here to fix the vulnerability.

 

Note:Getting this vulnerability when scaning Management port.

 

PAN-OS version 8.1.9

 

Regards,

Sethupathi M

L3 Networker

Re: How to fix this vulnerability in palo alto?

Hi Team,

 

Could you help us here to fix the vulnerability.

 

Note:Getting this vulnerability when scaning Management port.

 

PAN-OS version 8.1.9

 

Regards,

Sethupathi M

L1 Bithead

Re: How to fix this vulnerability in palo alto?

Hi

We are also getting the same vulnerabilities from Security Scans on the Managment Port.

 

We are running PAN OS 8.1.9

 

Any assistance would be greatly appreciated.

 

Regards

 

Stuart

L3 Networker

Re: How to fix this vulnerability in palo alto?

Hi Stuart,


For HTTP OPTIONS and DELETE method allow (note there is no associated CVE and both are standard HTTP methods).

After review, both HTTP methods do not have actual impact on firewall management Web GUI therefore the said vulnerability was not applicable in this scenario.

Palo Alto firewall allows HTTP OPTIONS and DELETE methods because a new RESTful API capability is using it, not the web server itself. Therefore these two listed vulnerabilities are not applicable in Palo Alto Network firewall.

- HTTP DELETE Method
- HTTP OPTIONS Method


For the last vulnerability, "3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)" related to static key ciphers, this can be mitigated by using a ECDSA based certificate which will limit to the following forward secrecy ciphers in 8.1

ECDHE-ECDSA-AES-128-SHA
ECDHE-ECDSA-AES-256-SHA
ECDHE-ECDSA-AES-128-GCM-SHA-256
ECDHE-ECDSA-AES-256-GCM-SHA-384

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC

Steps for securing the administrative access:

1) Generate/import an ECDSA server certificate on the firewall. This can be generated by using a self-signed CA ECDSA or your internal PKI ECDSA certificate. Please note the certificate that is reference by the SSL/TLS service profile cannot be a CA certificate.
2) Create an SSL/TLS service profile with Min and Max versions set to TLSv1.2
3) Reference the ECDSA certificate in the service profile
4) Apply the profile(s) to the various L3 SSL/TLS services


Hoped this clarifies.

 

-
Regards,
Sethupathi M

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!