The issue doesn’t affect the company’s Cloud NGFW or Prisma Access software.
Greynoise said exploitation began around Tuesday of this week. Assetnote published research about the hole on Wednesday. Palo Alto Networks published its advisory the same day.
‘Weird path-processing behavior’
The vulnerability, Assetnote said, is a “weird path-processing behavior” in the Apache HTTP server part of PAN-OS, which, along with Nginx, handles web requests to access the PAN-OS management interface. The web request first hits the Nginx reverse proxy, and if it is on a port that indicates it’s destined for the management interface, PAN-OS sets several headers; the most important of them is X-pan AuthCheck. The Nginx configuration then goes through several location checks and selectively sets the auth check to off. The request is then proxied to Apache, which will re-normalize and re-process the request as well as apply a rewrite rule under certain conditions. If the file requested is a PHP file, Apache will then pass through the request via mod_php FCGI, which enforces authentication based upon the header.
The problem is that Apache may process the path or headers differently to Nginx before the access request is handed to PHP, so if there is a difference between what Nginx thinks a request looks like and what Apache thinks it looks like, an attacker could achieve an authentication bypass.
Assetnote describes this as a “quite common” architecture problem where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior. “Fundamentally,” the research note added, “these architectures lead to header smuggling and path confusion, which can result in many impactful bugs.”
