Palo Alto Networks Security Advisories / PAN-SA-2019-0011

PAN-SA-2019-0011 Informational: PAN-OS unexpected open ports

047910
Severity 0 · NONE
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

An issue was resolved in PAN-OS that resulted in a configured Layer 3 interface erroneously opening ports 28869/tcp and 28870/tcp on the IP address assigned to the Layer 3 interface. These ports bind to an internal service that performs an HTTP 301 redirect to the HTTPS port (443/tcp) on the same interface IP address. After redirection, a web client will attempt to connect to the original destination IP address on 443/tcp and, if any such service is configured on the interface by the administrator (such as on the GlobalProtect portal or the device management interface), the client will connect successfully. In the absence of a configured service, any connection to 443/tcp will time out as expected.

This security advisory is rated as “informational” because there are no known vulnerabilities or immediate security risks posed by this issue; however, because unexpected open ports (28869/tcp and 28870/tcp) may appear in routine scans or audits, we advise you to review this issue and determine appropriate next steps for your environment. (Refer to PAN-94058 and PAN-101704 in the release notes associated with your release: https://docs.paloaltonetworks.com/pan-os.html.)

This issue affects Firewalls with GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.11-h1 or PAN-OS 8.1.0 to PAN-OS 8.1.1.

Firewalls without GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.13 or PAN-OS 8.1.0 to PAN-OS 8.1.3.

Firewalls running PAN-OS 7.1 or PAN-OS 9.0 are NOT affected.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0None9.0.*
PAN-OS 8.1<= 8.1.1 on with GlobalProtect, <= 8.1.3 on without GlobalProtect>= 8.1.2 on with GlobalProtect, >= 8.1.4 on without GlobalProtect
PAN-OS 8.0<= 8.0.1h-h1 on with GlobalProtect, <= 8.0.13 on without GlobalProtect>= 8.0.12 on with GlobalProtect, >= 8.0.14 on without GlobalProtect
PAN-OS 7.1None7.1.*

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

Weakness Type

CWE-668 Exposure of Resource to Wrong Sphere

Solution

Firewalls with GlobalProtect enabled: PAN-OS 8.0.12, PAN-OS 8.1.2 or a later release.

Firewalls without GlobalProtect enabled: PAN-OS 8.0.14, 8.1.4 or a later release.

Workarounds and Mitigations

Firewall administrators can create an explicit deny policy that blocks ports 28869/tcp and 28870/tcp on the affected L3 interface addresses. For more information on configuration, please refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLxl

© 2020 Palo Alto Networks, Inc. All rights reserved.