An issue was resolved in PAN-OS that resulted in a configured Layer 3 interface erroneously opening ports 28869/tcp and 28870/tcp on the IP address assigned to the Layer 3 interface. These ports bind to an internal service that performs an HTTP 301 redirect to the HTTPS port (443/tcp) on the same interface IP address. After redirection, a web client will attempt to connect to the original destination IP address on 443/tcp and, if any such service is configured on the interface by the administrator (such as on the GlobalProtect portal or the device management interface), the client will connect successfully. In the absence of a configured service, any connection to 443/tcp will time out as expected.
This security advisory is rated as “informational” because there are no known vulnerabilities or immediate security risks posed by this issue; however, because unexpected open ports (28869/tcp and 28870/tcp) may appear in routine scans or audits, we advise you to review this issue and determine appropriate next steps for your environment. (Refer to PAN-94058 and PAN-101704 in the release notes associated with your release: https://docs.paloaltonetworks.com/pan-os.html.)
This issue affects Firewalls with GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.11-h1 or PAN-OS 8.1.0 to PAN-OS 8.1.1.
Firewalls without GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.13 or PAN-OS 8.1.0 to PAN-OS 8.1.3.
Firewalls running PAN-OS 7.1 or PAN-OS 9.0 are NOT affected.
|PAN-OS 8.1||<= 8.1.1 on with GlobalProtect, <= 8.1.3 on without GlobalProtect||>= 8.1.2 on with GlobalProtect, >= 8.1.4 on without GlobalProtect|
|PAN-OS 8.0||<= 8.0.1h-h1 on with GlobalProtect, <= 8.0.13 on without GlobalProtect||>= 8.0.12 on with GlobalProtect, >= 8.0.14 on without GlobalProtect|
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
Firewalls with GlobalProtect enabled: PAN-OS 8.0.12, PAN-OS 8.1.2 or a later release.
Firewalls without GlobalProtect enabled: PAN-OS 8.0.14, 8.1.4 or a later release.
Firewall administrators can create an explicit deny policy that blocks ports 28869/tcp and 28870/tcp on the affected L3 interface addresses. For more information on configuration, please refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLxl