HTTP オプション/削除方法が有効な脆弱性

HTTP オプション/削除方法が有効な脆弱性

40839
Created On 09/30/20 15:13 PM - Last Modified 11/17/23 01:12 AM


Symptom


一部のスキャナでは、Http オプション/削除メソッドが有効になっていることが示されます。

 
ラピッド7はこれを次のように定義します。
"The Web server contains a flaw that may allow a remote attacker to delete arbitrary files by using the HTTP method 'DELETE', resulting in a loss of integrity."

 

Environment


OS Firewall管理アドレスの脆弱性をスキャンしているパン IP 。

Cause


多くの脆弱性スキャナはバナーをつかんで報告するだけなので、これは特定されています。 報告された脆弱性に対して有効なアクションをテストしません。

Resolution


HTTP Options is not a Vulnerability for the Palo Alto Firewall. 
There is no way to access these methods through the management IP address without fully authenticating and using the API key.

This fact alone nullifies this as a vulnerability as the network admin account would have to already have to be compromised. 
The DELETE method was considered as unsafe because the original purpose of this method was to delete files on the web server.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE
Nowadays DELETE method is often used in RESTful API. 
However, in this case the method would be handled by the application code, and not the web server.
The PAN firewall allows OPTIONS and DELETE methods because our RESTful API is using it, not the web server itself.
Therefore this potential security flaw it not applicable in PAN firewall case.
The Vulnerability scanner is merely doing it's job of finding the holes and we have already responsibly closed it by blocking the use of that "method()”.


Additional Information


The Restful API has the "method()", but they are not accessible through the management interface, and therefore is not a vulnerability to the firewall. 
To access the API you would need to enable it to make it work in the first place.

To use the REST API, you must Enable API Access for your administrators and Get Your API Key. 
In the following link you will see how to access or use the RESTful API
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/access-the-rest-api.html
An outside attacker can not use the Rest API unless they have compromised an administrator account that has access and have gained access to the Key. 
For that to happen your network will have already been compromised in a different manor which means that the HTTP Options/Delete is not a vulnerability to the Palo Alto firewall.
Reading relevant portions of the PAN-OS Administrator's Guide will help you get a better understanding of firewall capabilities that you can access using the API. 
To use the API, you should also be knowledgeable about web service APIs and HTTP.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB0hCAG&lang=ja&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language