Palo Alto Networks Informational Security Advisory - May 15, 2019

Started by icecream-guy, May 16, 2019, 05:36:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

icecream-guy

May 16, 2019, 05:36:05 AM
Information about PAN-OS Finding
Summary
An issue was resolved in PAN-OS that resulted in configured Layer 3 interfaces erroneously opening ports 28869/tcp and 28870/tcp on the IP address assigned to the Layer 3 interface, which bind to an internal service that performs HTTP 301 redirection to the HTTPS port (443/tcp) on the same interface IP address. There are no known vulnerabilities or immediate security risks posed by this issue; however customers are advised to review this issue and determine the appropriate next steps. (Refer to PAN-94058 and PAN-101704 in the release notes associated with your release: https://docs.paloaltonetworks.com/pan-os.html.
Severity: Info
An issue was resolved in PAN-OS that resulted in a configured Layer 3 interface erroneously opening ports 28869/tcp and 28870/tcp on the IP address assigned to the Layer 3 interface. These ports bind to an internal service that performs an HTTP 301 redirect to the HTTPS port (443/tcp) on the same interface IP address. After redirection, a web client will attempt to connect to the original destination IP address on 443/tcp and, if any such service is configured on the interface by the administrator (such as on the GlobalProtect portal or the device management interface), the client will connect successfully. In the absence of a configured service, any connection to 443/tcp will time out as expected. This security advisory is rated as "informational" because there are no known vulnerabilities or immediate security risks posed by this issue; however, because unexpected open ports (28869/tcp and 28870/tcp) may appear in routine scans or audits, we advise you to review this issue and determine appropriate next steps for your environment.
Products Affected
Firewalls with GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.11 or PAN-OS 8.1.0 to PAN-OS 8.1.1.
Firewalls without GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.13 or PAN-OS 8.1.0 to PAN-OS 8.1.3. 
Firewalls running PAN-OS 7.1 or PAN-OS 9.0 are NOT affected.
Available Updates
Firewalls with GlobalProtect enabled: PAN-OS 8.0.12 or a later PAN-OS 8.0 release and PAN-OS 8.1.2 or a later PAN-OS release. Firewalls without GlobalProtect enabled: PAN-OS 8.0.14 or a later PAN-OS 8.0 release and PAN-OS 8.1.4 or a later PAN-OS release.
Workarounds and Mitigations
Firewall administrators can create an explicit deny policy that blocks ports 28869/tcp and 28870/tcp on the affected L3 interface addresses. For more information on configuration, please refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLxl

Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/

.
If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support

.

Regards
,
Product Security Incident Response Team

Palo Alto Networks
:professorcat:

My Moral Fibers have been cut.
Print
Go Up Pages1
User actions