The Channel logo


By | Darren Pauli 21st October 2014 06:32

Palo Alto Networks boxes spray firewall creds across the net

Crummy configurations to blame, Moore hardening offered as remedy

Misconfigured user identities for Palo Alto Networks firewalls are leaking onto the public web potentially exposing customer services including VPN and webmail, says security luminary HD Moore.

The mess is a result of a user control module being allowed to operate in untrusted zones, rather than a vulnerability in Palo's kit.

Moore said attackers could obtain user and domain names, plus encrypted NetNTLM password hashes.

"In summary, every time we triggered a PAN (Palo Alto Network) filter on a misconfigured appliance, our scanning node would receive an inbound authentication attempt by User-ID," Moore said in a post.

"This issue is not a vulnerability in the typical sense, but we felt that the impact was significant enough that it required notification and public disclosure.

"A number of PAN customers have enabled Client Probing and Host Probing within the User-ID settings, but have not limited these probes to trusted zones or the internal IP space of the organisation.

"As a result, an external attacker can trigger a security event on the PAN appliance, resulting in an outbound SMB connection from User-ID to the attacker's IP address."

Moore said the flaw can expose organisations to remote compromise, noting that attackers could use off-the-shelf tools to bounce authentication to external customer NTLMSSP infrastructure such as SSL VPNs, Outlook Web Access, and Microsoft IIS web servers.

The problem impacts scores of Windows systems management products and Moore had seen the same effects in other kit.

Palo Alto Networks' response is an advisory pointing users to best practice guidelines to harden their kit.

It recommended that users restrict user-IDs to trusted zones or IP ranges and that minimum account privileges were set.

Customers could also consult Rapid7's hardening guide to shore up their defences against account credential theft. ®

comment icon Read 2 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe