07-30-2019 02:05 AM
Hi,
Please help to resolve the following vulnerability
Vulnerabilities :
1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)
Thanks in advance
07-30-2019 09:30 AM
Any additional information here would be great, such as what interface you were scanning (MGMT, GlobalProtect Portal)?
08-05-2019 10:03 PM
Hi Team,
Could you help us here to fix the vulnerability.
Note:Getting this vulnerability when scaning Management port.
PAN-OS version 8.1.9
Regards,
Sethupathi M
08-06-2019 01:04 AM
Hi Team,
Could you help us here to fix the vulnerability.
Note:Getting this vulnerability when scaning Management port.
PAN-OS version 8.1.9
Regards,
Sethupathi M
10-18-2019 05:42 AM
Hi
We are also getting the same vulnerabilities from Security Scans on the Managment Port.
We are running PAN OS 8.1.9
Any assistance would be greatly appreciated.
Regards
Stuart
10-19-2019 12:04 AM
Hi Stuart,
For HTTP OPTIONS and DELETE method allow (note there is no associated CVE and both are standard HTTP methods).
After review, both HTTP methods do not have actual impact on firewall management Web GUI therefore the said vulnerability was not applicable in this scenario.
Palo Alto firewall allows HTTP OPTIONS and DELETE methods because a new RESTful API capability is using it, not the web server itself. Therefore these two listed vulnerabilities are not applicable in Palo Alto Network firewall.
- HTTP DELETE Method
- HTTP OPTIONS Method
For the last vulnerability, "3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)" related to static key ciphers, this can be mitigated by using a ECDSA based certificate which will limit to the following forward secrecy ciphers in 8.1
ECDHE-ECDSA-AES-128-SHA
ECDHE-ECDSA-AES-256-SHA
ECDHE-ECDSA-AES-128-GCM-SHA-256
ECDHE-ECDSA-AES-256-GCM-SHA-384
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC
Steps for securing the administrative access:
1) Generate/import an ECDSA server certificate on the firewall. This can be generated by using a self-signed CA ECDSA or your internal PKI ECDSA certificate. Please note the certificate that is reference by the SSL/TLS service profile cannot be a CA certificate.
2) Create an SSL/TLS service profile with Min and Max versions set to TLSv1.2
3) Reference the ECDSA certificate in the service profile
4) Apply the profile(s) to the various L3 SSL/TLS services
Hoped this clarifies.
-
Regards,
Sethupathi M
02-13-2020 10:54 PM
Hello
We want to find out with your help if there are recommended official docs about those vulnerabilities identified in a generic Vuln Scan on Management Web Interface:
1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)
Do you know if there are an official PaloAlto documental support?
Thanks for your help
12-09-2020 08:46 AM
Hello,
Yes, there is an officiel docs from PAN for http methods, please check the KB HTTP Options/Delete Method Enabled Vulnerability.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB0hCAG
Regards,
Abdessamed
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
