This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Vulnerability Protection for CVE-2024-3400

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability Protection for CVE-2024-3400

mb_equate
L3 Networker

‎05-22-2024 11:20 PM - edited ‎05-22-2024 11:21 PM

TL;DR: ensure you are applying Vulnerability Protection to web-browsing traffic hitting your GP portal interface, if you rely on the intrazone-default allow

 

I was responding to another case of this flu. Even though the best-practice strict VP profile was attached to the rule allowing access to the GlobalProtect interface, a test for the vuln (curl -kH "Cookie: SESSID=/../TESTVULN" https://<target>/global-protect/login.esp) yielded positive results.

 

What The Firewall? Turns out exploit traffic does not match the required apps in the GP rule (panos-global-protect, ssl) and instead matches web-browsing. Thanks to the default, intrazone-default rule, this traffic was permitted without Threat Prevention being applied.

 

The fix? Multiple. In order of effectiveness...

1. Change your intrazone-default rule to Deny

  a. This is by no means a simple change, and should not be done without analysis and required policy adjustments

  b. Why? See LIVEcommunity - Should I override the intrazone-default to deny? - LIVEcommunity - 581801 (paloalton...

2. Override the intrazone-default rule and enable Threat Prevention

  a. Even better, create a security profile group based on best practices, call it default (lower case d) and use it everywhere

3. Add web-browsing to the rule that provides access to GP portal

 a. Ideally you should not be permitting web-browsing to your GP interface, either explicitly or through intrazone-default. BUT if you must, do this.

0 Likes Likes
2 REPLIES 2

kiwi
Community Team Member

‎05-23-2024 02:51 AM

Hi @mb_equate ,

 

As always thanks for your insights !

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Frank-Bussink
L0 Member

‎05-31-2024 05:58 AM

Hi,

 

I would also add another layer of security, which came to mind after this **bleep** CVE.

Use a wildcard certificate as SSL cert. (by the way even Let's encrypt proposes wildcards). 

Generate a random hostname for the GP hostname. Example : GP-123456.mydomain.com

Create a Custom URL category with only that FQDN (https://GP-123456.mydomain.com)

Add the URL category to your incoming rule policy for GP.

Add another rule below it, with the dest GP IP and action as Drop (silently)

This means, if a scanner or anybody uses not the correct FQDN, the communication will be dropped.

And by using a wildcard, it is not possible to guess the hostname 

😉

0 Likes Likes
  • 1051 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks