Palo Alto Networks PAN-OS 7.0.0 LDAP Authentication Bypass (PAN-SA-2015-0005)

2015-08-19T00:00:00
ID PALO_ALTO_PAN-SA-2015-0005.NASL
Type nessus
Reporter Tenable
Modified 2017-05-30T00:00:00

Description

The remote host is running Palo Alto Networks PAN-OS version 7.0.0. It is, therefore, affected by an unspecified flaw in the LDAP authentication process. A remote attacker can exploit this to bypass authentication checks presented by the captive portal component or the device management interfaces.

                                        
                                            #TRUSTED 09cb88207f793293db76e60e9a31f06308812f6f7642ae095f38f00fa24a4a36594b0be28a56bf0c8aef220e3d2816366759adf50227fd8a820f0bcd5337d11268efad332b24426b1a8a73d2b204ff741f9005dec7ec6a5f2f7075398607f93bc352c103c53602094a96111dcd9e96bbbab645ed3fe1eda24d027d29dd9162fde3f93040e221ace4c2a496f951dff21a9f8ef1cc24b165e879062d8c5525c49515be87e1ab387c47fb02421a1d7af32a8fd2527d8887def5a2a31c933f587ddd48c32455381227b4eacfa1f09d73e410c708f69be4ede68f89da1230dccd395fe818c21e935327f90b21778120acec6b51cabeb0046a08fccdac0469b828b31eafddd7e7bd814e263143029d8702c9543a9290d2784cab5d5d013542e4624b89957e371936961940e1c7caa7382beac477650d84b372b159de948fa64d59553bdeb6008be9bb5eb872254657ce5c36e1f91552656e8f5a37cb4d69cb09e708f7c4a4318132f835f55b455b165f1bd387974655e5a52af3d7664179c714e2a8ed08d798358759cbf3f36d6226942876aa9d2b4408d6d8397c13ef34ec3cd103f590b72ace3c97d5e64f3d72b56b4031d59776170acb8f51eb72875bf0e2566f50df8e5291f8917d588e8a85a48fd6e8a4f6e7ba53f21ca94829da0df684ebc1768007ca780e6a0d4215009d97441508c706895af8146a79fd270169f128fe1387
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85535);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2017/05/30");

  script_osvdb_id(125404);

  script_name(english:"Palo Alto Networks PAN-OS 7.0.0 LDAP Authentication Bypass (PAN-SA-2015-0005)");
  script_summary(english:"Checks the PAN-OS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an authentication security bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Palo Alto Networks PAN-OS version 7.0.0. It
is, therefore, affected by an unspecified flaw in the LDAP
authentication process. A remote attacker can exploit this to bypass
authentication checks presented by the captive portal component or the
device management interfaces.");
  script_set_attribute(attribute:"see_also", value:"https://securityadvisories.paloaltonetworks.com/Home/Detail/32");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Palo Alto Networks PAN-OS 7.0.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/19");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Palo Alto Local Security Checks");

  script_dependencies("palo_alto_version.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version");

  script_copyright(english:"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled"))
  audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

app_name = "Palo Alto Networks PAN-OS";
version = get_kb_item_or_exit("Host/Palo_Alto/Firewall/Version");
full_version = get_kb_item_or_exit("Host/Palo_Alto/Firewall/Full_Version");
has_ldap = FALSE;
fix = FALSE;

# Advisory is very specific : only 7.0.0 is affected
if(version == "7.0.0")
  fix = "7.0.1";
else
  audit(AUDIT_INST_VER_NOT_VULN, app_name, full_version);

# If we're paranoid, check for an LDAP profile on the device
if(report_paranoia < 2)
{
  cmd = "show config running xpath shared/authentication-profile | match 'ldap'";
  buf = ssh_open_connection();
  if(!buf)
    audit(AUDIT_FN_FAIL, "ssh_open_connection");
  buf = ssh_cmd(cmd:cmd, nosh:TRUE, nosudo:TRUE, noexec:TRUE, no53:TRUE);
  if("ldap" >< buf)
    has_ldap = TRUE;
  ssh_close_connection();
}
else # Otherwise assume the risk of FP
  has_ldap = TRUE;

if(fix && has_ldap)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version : ' + full_version +
      '\n  Fixed versions    : ' + fix +
      '\n';
    security_hole(extra:report, port:0);
  }
  else security_hole(0);
}
else
  audit(AUDIT_INST_VER_NOT_VULN, app_name, full_version);