How to fix this vulnerability in palo alto?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to fix this vulnerability in palo alto?

L3 Networker

Hi,

 

Please help to resolve the following vulnerability


Vulnerabilities :
1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

Thanks in advance

8 REPLIES 8

Cyber Elite
Cyber Elite

@karthikeyanB,

Any additional information here would be great, such as what interface you were scanning (MGMT, GlobalProtect Portal)? 

L3 Networker

Management

Hi Team,

 

Could you help us here to fix the vulnerability.

 

Note:Getting this vulnerability when scaning Management port.

 

PAN-OS version 8.1.9

 

Regards,

Sethupathi M

Hi Team,

 

Could you help us here to fix the vulnerability.

 

Note:Getting this vulnerability when scaning Management port.

 

PAN-OS version 8.1.9

 

Regards,

Sethupathi M

Hi

We are also getting the same vulnerabilities from Security Scans on the Managment Port.

 

We are running PAN OS 8.1.9

 

Any assistance would be greatly appreciated.

 

Regards

 

Stuart

Hi Stuart,


For HTTP OPTIONS and DELETE method allow (note there is no associated CVE and both are standard HTTP methods).

After review, both HTTP methods do not have actual impact on firewall management Web GUI therefore the said vulnerability was not applicable in this scenario.

Palo Alto firewall allows HTTP OPTIONS and DELETE methods because a new RESTful API capability is using it, not the web server itself. Therefore these two listed vulnerabilities are not applicable in Palo Alto Network firewall.

- HTTP DELETE Method
- HTTP OPTIONS Method


For the last vulnerability, "3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)" related to static key ciphers, this can be mitigated by using a ECDSA based certificate which will limit to the following forward secrecy ciphers in 8.1

ECDHE-ECDSA-AES-128-SHA
ECDHE-ECDSA-AES-256-SHA
ECDHE-ECDSA-AES-128-GCM-SHA-256
ECDHE-ECDSA-AES-256-GCM-SHA-384

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC

Steps for securing the administrative access:

1) Generate/import an ECDSA server certificate on the firewall. This can be generated by using a self-signed CA ECDSA or your internal PKI ECDSA certificate. Please note the certificate that is reference by the SSL/TLS service profile cannot be a CA certificate.
2) Create an SSL/TLS service profile with Min and Max versions set to TLSv1.2
3) Reference the ECDSA certificate in the service profile
4) Apply the profile(s) to the various L3 SSL/TLS services


Hoped this clarifies.

 

-
Regards,
Sethupathi M

Hello

We want to find out with your help if there are recommended official docs about those vulnerabilities identified in a generic Vuln Scan on Management Web Interface:

1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

Do you know if there are an official PaloAlto documental support? 
Thanks for your help

Hello, 

Yes, there is an officiel docs from PAN for http methods, please check the KB HTTP Options/Delete Method Enabled Vulnerability. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB0hCAG

 

Regards, 

Abdessamed

  • 17955 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!