Palo Alto Networks PAN-OS Firewall/Panorama WebUI Default Credentials

2013-12-17T00:00:00
ID PALO_ALTO_WEBUI_DEFAULT_CREDS.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2013-12-17T00:00:00

Description

The Palo Alto Networks PAN-OS Firewall / Panorama WebUI interface on the remote host has the 'admin' user account secured with the default password. An unauthenticated, remote attacker can exploit this to gain administrative access to the web interface.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(71496);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/17");


  script_name(english:"Palo Alto Networks PAN-OS Firewall/Panorama WebUI Default Credentials");
  script_summary(english:"Attempts to login with the default username/password.");

  script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is protected using default
credentials.");
  script_set_attribute(attribute:"description", value:
"The Palo Alto Networks PAN-OS Firewall / Panorama WebUI interface on
the remote host has the 'admin' user account secured with the default
password. An unauthenticated, remote attacker can exploit this to gain
administrative access to the web interface.");
  # https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Default-Login-Credential/ta-p/56871
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?428c8b63");
  script_set_attribute(attribute:"solution", value:"Secure the 'admin' user account with a strong password.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:TF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:T/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Default admin credentials.");

  script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/17");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_webui_detect.nbin");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_keys("www/palo_alto_panos");
  script_require_ports("Services/www", 443);

  exit(0);
}


include('http.inc');
include('webapp_func.inc');
include('spad_log_func.inc');

get_kb_item_or_exit("www/palo_alto_panos");

port = get_http_port(default:443, embedded:TRUE);

install = get_install_from_kb(appname:"palo_alto_panos", port:port, exit_on_fail:FALSE);
if (isnull(install)) audit(AUDIT_NOT_INST, "Palo Alto Firewall / Panorama");
app = "PAN-OS";

model = get_kb_item("palo_alto/platform/model");
if (model)
  app = model;

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

url = install['dir'] + '/php/login.php';
full_url = build_url(qs:url, port:port);

user = 'admin';
pass = 'admin';

postdata =
  'prot=https%3A&server=' + 
  '&authType=init' +
  '&challengeCookie=' +
  '&user=' + user +
  '&passwd=' + pass +
  '&challengePwd=' +
  '&ok=Login';

res = http_send_recv3(
  method:'POST',
  item:url,
  port:port,
  content_type:'application/x-www-form-urlencoded',
  data:postdata,
  follow_redirect:1,
  exit_on_fail:TRUE
);

spad_log(message:'Request on URL '+full_url+' with POST data: '+postdata+'\nResponse ('+res[0]+'):\n'+res[2]);

if ('Your device is still configured with the default admin account credentials.' >!< res[2])
  audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Palo Alto ' + app, full_url);

report =
  '\n' + 'Nessus was able to log into the Palo Alto ' + app + ' WebUI using' +
  '\n' + 'the following information :' +
  '\n' +
  '\n  URL      : ' + full_url +
  '\n  Username : ' + user +
  '\n  Password : ' + pass + '\n';
security_report_v4(
  port       : port,
  severity   : SECURITY_HOLE,
  extra      : report
);