How to solve "CWE-693 : Protection Mechanism Failure" in Paloalto firewall

cancel
Showing results for 
Search instead for 
Did you mean: 

How to solve "CWE-693 : Protection Mechanism Failure" in Paloalto firewall

L1 Bithead

Hello Geeks,

 

During our compliance scanning (PCI-DSS External Scanning) process on our paloalto 3020 firewalls, the scanner found new vulnerability, "CWE-693 : Protection Mechanism Failure" and suggested to fix it ASAP to comply. Hence, I started googling to solve this issues and found no useful solutions for this yet. Is there any way to solve this issue and I am sure that every organization trying to comply with PCIDSS external scanning process are facing this issue now. Really appreciate for your kind suggestions and help.

 

Best Regards,

Wai Yan Phyo

1 ACCEPTED SOLUTION

Accepted Solutions

The GP portal and gateway are already hardened but putting a security profile on top would block incoming scans or exploits for potentially vulnerable services before they hit the service itself.

Legitimate connections where something is reported as missing would still come back, but an actual exploit will be blocked by the profile

 

you could reach out to your local sales team to have a more thorough investigation of your configuration, they can run best practices and recommendations tools on your config and make more in-depth analysis of your situation and possibly provide better tailored mitigation advise

Tom Piens
PANgurus

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Does the scan provide a subdivision of detected failures?

 

the CWE seems to be an extremely broad statement that can't be addressed in itself (besides pulling the plug)

 

Did you scan the management interface or a dataplane management profile, have you got weak services enabled (telnet, http, ..) maybe ?

Tom Piens
PANgurus

 

Hi Reaper,

 

Thanks for your kind response.

 

The scanner provided the following HTTP headers are absent in our firewall.

X-XSS-Protection
X-Frame-Options
X-Content-Type-Options:
Public-Key-Pins
Strict-Transport-Security

 

As this is external compliance scanning, the public-facing (external) interface was scanned and we didn't enable any insecure services like telnet and http.

 

 

Is there a management profile enabled on your external interface?

 

There are a couple of tips to improve security on your external interface:

 

Don't run a management profile on it, use GlobalProtect instead to get to the internal network and connect from there. If this is not an option, enable an ACL on the management profile restricting access to only a select few management IPS

 

If this was not a mgmt profile but GP portal/gateway, you can move the portal and gateway to a loopback interface so you can create a security profile to protect the portal/gw

 

If this was a scan that hit a NAT rule (so a scan rerouted to an internal server), you'll need to review your internal server, but you can add a decryption policy with a decryption profile that enforces minimum protocol version and algorithms

Tom Piens
PANgurus

- There is no management profile enabled on this external interface. 

 

- Yes, this is just used for GlobalProtect portal / gateway.  We may consider to use it with a loopback and set security profiles on it as per your suggestions.

 

- Apart from these secure protection on firewall, is there any other HTTP header protection which can be enabled on the firewall? I am asking that because the scanner would show the same unprotected vulnerability in the report after scanning due to the lack of its' suggested protection methods enabled on the firewall.

 

- Only manual verification / testing would approve that the device is protecting itself from these mentioned risks. Also we are not sure if ASV would accept these secure and hardening ways as compensation control to mitigate this vulnerability.

 

However, we really appreciate for your kind, patient and continuous suggestions and supports.

 

The GP portal and gateway are already hardened but putting a security profile on top would block incoming scans or exploits for potentially vulnerable services before they hit the service itself.

Legitimate connections where something is reported as missing would still come back, but an actual exploit will be blocked by the profile

 

you could reach out to your local sales team to have a more thorough investigation of your configuration, they can run best practices and recommendations tools on your config and make more in-depth analysis of your situation and possibly provide better tailored mitigation advise

Tom Piens
PANgurus

View solution in original post

L0 Member

Having same issue, however i am getting this not on the GP interface but another. How did you solve this?

Hi Sruddy,

 

PA recommend to upgrdate to PAN OS 8.0.8 to mitigate this vulnerability. This upgrade will enable the following http headers in PA firewall. 

 

X-XSS-Protection
X-Content-Type-Options

Content-Security-Policy

 

Thank you.

 

Best Regards,

Wai Yan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!