The issue doesnât affect the companyâs Cloud NGFW or Prisma Access software.
Greynoise said exploitation began around Tuesday of this week. Assetnote published research about the hole on Wednesday. Palo Alto Networks published its advisory the same day.
âWeird path-processing behaviorâ
The vulnerability, Assetnote said, is a âweird path-processing behaviorâ in the Apache HTTP server part of PAN-OS, which, along with Nginx, handles web requests to access the PAN-OS management interface. The web request first hits the Nginx reverse proxy, and if it is on a port that indicates itâs destined for the management interface, PAN-OS sets several headers; the most important of them is X-pan AuthCheck. The Nginx configuration then goes through several location checks and selectively sets the auth check to off. The request is then proxied to Apache, which will re-normalize and re-process the request as well as apply a rewrite rule under certain conditions. If the file requested is a PHP file, Apache will then pass through the request via mod_php FCGI, which enforces authentication based upon the header.
The problem is that Apache may process the path or headers differently to Nginx before the access request is handed to PHP, so if there is a difference between what Nginx thinks a request looks like and what Apache thinks it looks like, an attacker could achieve an authentication bypass.Â
Assetnote describes this as a âquite commonâ architecture problem where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior. âFundamentally,â the research note added, âthese architectures lead to header smuggling and path confusion, which can result in many impactful bugs.â
