The difficulty doesn’t have an effect on the corporate’s Cloud NGFW or Prisma Entry software program.
Greynoise said exploitation began around Tuesday of this week. Assetnote published research concerning the gap on Wednesday. Palo Alto Networks printed its advisory the identical day.
‘Bizarre path-processing habits’
The vulnerability, Assetnote stated, is a “bizarre path-processing habits” within the Apache HTTP server a part of PAN-OS, which, together with Nginx, handles net requests to entry the PAN-OS administration interface. The net request first hits the Nginx reverse proxy, and whether it is on a port that signifies it’s destined for the administration interface, PAN-OS units a number of headers; a very powerful of them is X-pan AuthCheck. The Nginx configuration then goes by way of a number of location checks and selectively units the auth test to off. The request is then proxied to Apache, which is able to re-normalize and re-process the request in addition to apply a rewrite rule below sure situations. If the file requested is a PHP file, Apache will then move by way of the request by way of mod_php FCGI, which enforces authentication primarily based upon the header.
The issue is that Apache could course of the trail or headers in a different way to Nginx earlier than the entry request is handed to PHP, so if there’s a distinction between what Nginx thinks a request appears like and what Apache thinks it appears like, an attacker might obtain an authentication bypass.
Assetnote describes this as a “fairly frequent” structure downside the place authentication is enforced at a proxy layer, however then the request is handed by way of a second layer with completely different habits. “Basically,” the analysis observe added, “these architectures result in header smuggling and path confusion, which may end up in many impactful bugs.”
