Global Protect - Redirection via Arbitrary Host Header Manipulation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect - Redirection via Arbitrary Host Header Manipulation

L0 Member

Having ran a PCI DSS compliance scan it has come back that our Global Protect VPN setup is flagged as a failing vulnerability for Redirection via Arbitrary Host Header Manipulation.

 

We have it setup to redirect to azure to authenticate account details.

 

The solution they have given us to fix the issue is;

Implementing proper validation and sanitization of input headers is essential to mitigate the risks of Host header injection.
Whitelist domains, only allow permitted domains to be included in Host header.

 

How do we go about implementing this.

8 REPLIES 8

L1 Bithead

Ours doesn't even redirect that far out.  It merely redirects HTTP to HTTPS for local authentication in order to view the links to download the GlobalProtect client(s).   One very unclear recommendation I saw a month or two back was to filter (deny) HTTP traffic (with no other details) but this seemed like a great way to break legitimate traffic for end users if not implemented correctly.

L0 Member

Hi Arachen,

 

I just ran a scan and received the exact same result as you. Everything passed except for the issue you're seeing as well. Were you ever able to figure out a fix for this issue?

L0 Member

We are having the same issue with our PCI compliance scans for credit card processing. We do this quarterly and it just started failing this time so I guess the compliance scans are now flagging this. I's not enough to disable the portal landing page. A redirect to a non-existent page still occurs and that is what is being flagged. 

 

We tried explicitly blocking the redirect page, but the redirect still occurs. This seems like something Palo Alto needs to address if they have not already. We have a support case open so we'll see if someone has an answer.

L2 Linker

Was a resolution found to this issue?

No fix that I'm aware of.  I am raising a false positive report with PCI Assure which is the vendor I have to deal with and am looping them in on this forum post within that.

L1 Bithead

Case # 02750366 submitted to support as I've had to take time out for this issue far too many times now.

L3 Networker

Hello Team, Is there any update from TAC on this we are seeing a similar issue.

It appears support has attempted to call me several times but the call is not being accepted/connected.  That probably is not a PA issue however, as we've had many problems with our hosted VoIP provider.  Still, my ticket detail references this community discussion topic with a direct link to it and specifically asks, "If you would, please respond to this post with directions on how to block HTTP requests ONLY for the GlobalProtect portal."

It would be nice for all if support could provide a guide here on how to work around this.

  • 4699 Views
  • 8 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!