The difficulty doesn’t have an effect on the corporate’s Cloud NGFW or Prisma Entry software program.
Greynoise mentioned exploitation started round Tuesday of this week. Assetnote printed analysis in regards to the gap on Wednesday. Palo Alto Networks printed its advisory the identical day.
‘Bizarre path-processing conduct’
The vulnerability, Assetnote mentioned, is a “bizarre path-processing conduct” within the Apache HTTP server a part of PAN-OS, which, together with Nginx, handles internet requests to entry the PAN-OS administration interface. The online request first hits the Nginx reverse proxy, and whether it is on a port that signifies it’s destined for the administration interface, PAN-OS units a number of headers; an important of them is X-pan AuthCheck. The Nginx configuration then goes via a number of location checks and selectively units the auth test to off. The request is then proxied to Apache, which is able to re-normalize and re-process the request in addition to apply a rewrite rule below sure situations. If the file requested is a PHP file, Apache will then cross via the request through mod_php FCGI, which enforces authentication primarily based upon the header.
The issue is that Apache could course of the trail or headers in a different way to Nginx earlier than the entry request is handed to PHP, so if there’s a distinction between what Nginx thinks a request seems to be like and what Apache thinks it seems to be like, an attacker may obtain an authentication bypass.
Assetnote describes this as a “fairly widespread” structure downside the place authentication is enforced at a proxy layer, however then the request is handed via a second layer with completely different conduct. “Essentially,” the analysis notice added, “these architectures result in header smuggling and path confusion, which may end up in many impactful bugs.”
