Management Articles

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

Terminal Services Agent 7.0.7 Changes on User Apps requesting Specific Source Ports

by NMarkovic on ‎03-09-2017 02:50 PM - edited on ‎03-15-2017 09:59 AM by (213 Views)

Overview

This document is focused on a change made in Terminal Services Agent 7.0.7.  The change is documented in the release notes and Palo Alto Networks security advisor (PAN-SA-2017-0002). From the release notes:

"A security‐related fix was made to address a spoofing vulnerability. (CVE‐2017‐5328 / PAN‐SA‐2017‐0002)"

 

Problem Description

Prior to Terminal Services Agent (TS Agent) version 7.0.7, custom script running in 'user' context could be able to reserve arbitrary source port, circumventing TS Agent source port allocation range. This was fixed with the change made in TSA 7.0.7.  All 'user' triggered applications are now being assigned source ports from respective TS Agent source port range.

 

Reverting to behavior prior to TS Agent 7.0.7

Some of the deployments were relying on their custom application(s) being able to reserve specific source ports, outside of the TS Agent range, to function properly. Because of this, new registry key was added in version 7.0.7, which can enable same behavior as in previous TS Agent releases (while running the latest TS agent):

 Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Adv\HonorSrcPortRequest

 

TSAgent_707.jpg

 

Based on the configured value, we can choose one of the 3 behaviors:

0: Ignore all application-specified source port requests and allocate the port from respective TS Agent source port range (default 7.0.7 behavior)
1: Honor application-specified source port requests only if the port is not within the source port allocation range for the interactive user sessions
2: Honor all application-specified source port requests.

 

Setting the value to "2" will make the agent behave same way as it was prior to version 7.0.7. 

Setting the value to "1" will allow customer applications/scripts to reserve arbitrary port, only if it is outside TS agent port range meant for interactive user sessions (usually 20000-39000).

 

After changing registry setting, no restart is required. TS Agent 'debug.log' will immediately show the change. For example:

03/09/17 23:44:04[Info 1829]: Load advanced config HonorSrcPortRequest 1.
03/09/17 23:44:21[Info 1829]: Load advanced config HonorSrcPortRequest 0.

 

Register now
Ask Questions Get Answers Join the Live Community