GlobalProtect – Disable Portal Login Page

byEditorial Team -
0

GlobalProtect – Disable Portal Login Page


Hello Team,


I would advice people not to use the PaloAlto Global Protect Portal and move towards an MSI deployment approach. 

My reasoning for the action was based on an XSS vulnerability posted by PaloAlto on 10/11/18.
Cross-Site Scripting (XSS) in GlobalProtect Portal Login Page
PAN-SA-2018-0014
High
PAN-OS 8.1.3 and earlier. PAN-OS 8.0, PAN-OS 7.1 and PAN-OS 6.1 are NOT affected.
10/11/2018
10/18/2018
“  - Security Advisories
https://securityadvisories.paloaltonetworks.com/


Whats XSS?

Cross-Site Scripting is malicious code that's injected into a trusted website. The injected code is done on the user side of the website or application. We also have Server side XSS, but this vulnerability is attacking from the client side. Client Side XSS is often used to avoid security rules put in place to protect user data. Malicious code can even rewrite an HTTP code and redirect users to a different website and harvest personal information. 

A great example of XSS was created by Samy Kamkar, he wrote a XSS worm that was able to bring down Myspace. Samy realized he was allowed to write client side XSS within Myspace profile settings. He created code that would send out Samy a friend request and place text on the infected profile. This landed him into trouble with the United States Secret Service and Electronic Crimes Task Force in 2006. He is now helping  large organizations like Myspace find vulnerabilities before attackers do.

Back to the firewalls, Palo alto has updated their code to help stop client side scripting on the portal. You will only be protected if you have updated your PAN-OS to a version higher than 8.1.3. PAN-OS. Palo alto's PAN-OS   8.0, PAN-OS 7.1 and PAN-OS 6.1 are NOT affected at the moment, but as good measure we like to stay safe regardless. The less you open your self to attackers the smaller surface you have for attacks.

Here is a great link for how to disable the portal:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbpCAC

Once the portal has been disabled, go test it out 😊

How to Test:


  1. Visit https://<portal-IP>.com from your public gateway ip.
  • you should see a 502 bad gateway message.

I know it does not affect all PAN-OS's but lets not take a gamble. Better be safe than sorry.

- I will make a post on how to design your MSI deployment soon.
  Boom its here now:
GlobalProtect MSI deployment:
https://paloaltofirewallconfiguration.blogspot.com/2019/04/globalprotect-msi-deployment.html

Thank you,


AzNetAdmin
Tags

You may like these posts

Post a Comment

Previous Post Next Post