HTTP Options/Delete Method Enabled Vulnerability
40845
Created On 09/30/20 15:13 PM - Last Modified 11/17/23 01:12 AM
Symptom
Some scanners will show that the Http Options/Delete method is enabled.
Rapid 7 defines this as
"The Web server contains a flaw that may allow a remote attacker to delete arbitrary files by using the HTTP method 'DELETE', resulting in a loss of integrity."
Environment
Any Palo Alto Networks Firewall being scanned for Vulnerabilities in the management IP address.
Cause
This is being Identified because many vulnerability scanners just grab the banners and report. They do not test for valid actions against the reported Vulnerability.
Resolution
HTTP Options is not a Vulnerability for the Palo Alto Networks Firewall.
There is no way to access these methods through the management IP address without fully authenticating and using the API key.
This fact alone nullifies this as a vulnerability as the network admin account would have to already have to be compromised.
The DELETE method was considered as unsafe because the original purpose of this method was to delete files on the web server.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE
Nowadays DELETE method is often used in RESTful API.
However, in this case the method would be handled by the application code, and not the web server.
The Palo Alto Networks firewall allows OPTIONS and DELETE methods because our RESTful API is using it, not the web server itself.
Therefore this potential security flaw is not applicable in Palo Alto Networks firewall case.
The Vulnerability scanner is merely doing it's job of finding the holes and we have already responsibly closed it by blocking the use of that "method()”.
Additional Information
The Restful API has the "method()", but they are not accessible through the management interface, and therefore is not a vulnerability to the firewall.
To access the API you would need to enable it to make it work in the first place.
To use the REST API, you must Enable API Access for your administrators and Get Your API Key.
In the following link you will see how to access or use the RESTful API
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/access-the-rest-api.html
An outside attacker can not use the Rest API unless they have compromised an administrator account that has access and have gained access to the Key.
For that to happen your network will have already been compromised in a different manner which means that the HTTP Options/Delete is not a vulnerability to the Palo Alto Networks firewall.
Reading relevant portions of the PAN-OS Administrator's Guide will help you get a better understanding of firewall capabilities that you can access using the API.