The difficulty doesn’t have an effect on the corporate’s Cloud NGFW or Prisma Entry software program.
Greynoise mentioned exploitation started round Tuesday of this week. Assetnote printed analysis concerning the gap on Wednesday. Palo Alto Networks printed its advisory the identical day.
‘Bizarre path-processing conduct’
The vulnerability, Assetnote mentioned, is a “bizarre path-processing conduct” within the Apache HTTP server a part of PAN-OS, which, together with Nginx, handles internet requests to entry the PAN-OS administration interface. The online request first hits the Nginx reverse proxy, and whether it is on a port that signifies it’s destined for the administration interface, PAN-OS units a number of headers; a very powerful of them is X-pan AuthCheck. The Nginx configuration then goes by a number of location checks and selectively units the auth test to off. The request is then proxied to Apache, which can re-normalize and re-process the request in addition to apply a rewrite rule beneath sure circumstances. If the file requested is a PHP file, Apache will then move by the request by way of mod_php FCGI, which enforces authentication primarily based upon the header.
The issue is that Apache could course of the trail or headers otherwise to Nginx earlier than the entry request is handed to PHP, so if there’s a distinction between what Nginx thinks a request seems to be like and what Apache thinks it seems to be like, an attacker might obtain an authentication bypass.
Assetnote describes this as a “fairly frequent” structure downside the place authentication is enforced at a proxy layer, however then the request is handed by a second layer with totally different conduct. “Basically,” the analysis be aware added, “these architectures result in header smuggling and path confusion, which may end up in many impactful bugs.”
