Information about PAN-OS Finding (PAN-SA-2019-0011)

Last revised: 05/16/2019

Summary

An issue was resolved in PAN-OS that resulted in configured Layer 3 interfaces erroneously opening ports 28869/tcp and 28870/tcp on the IP address assigned to the Layer 3 interface, which bind to an internal service that performs HTTP 301 redirection to the HTTPS port (443/tcp) on the same interface IP address. There are no known vulnerabilities or immediate security risks posed by this issue; however customers are advised to review this issue and determine the appropriate next steps. (Refer to PAN-94058 and PAN-101704 in the release notes associated with your release: https://docs.paloaltonetworks.com/pan-os.html.

Severity: Info

An issue was resolved in PAN-OS that resulted in a configured Layer 3 interface erroneously opening ports 28869/tcp and 28870/tcp on the IP address assigned to the Layer 3 interface. These ports bind to an internal service that performs an HTTP 301 redirect to the HTTPS port (443/tcp) on the same interface IP address. After redirection, a web client will attempt to connect to the original destination IP address on 443/tcp and, if any such service is configured on the interface by the administrator (such as on the GlobalProtect portal or the device management interface), the client will connect successfully. In the absence of a configured service, any connection to 443/tcp will time out as expected. This security advisory is rated as “informational” because there are no known vulnerabilities or immediate security risks posed by this issue; however, because unexpected open ports (28869/tcp and 28870/tcp) may appear in routine scans or audits, we advise you to review this issue and determine appropriate next steps for your environment.

Products Affected

Firewalls with GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.11-h1 or PAN-OS 8.1.0 to PAN-OS 8.1.1. Firewalls without GlobalProtect enabled and running PAN-OS 8.0.8 to PAN-OS 8.0.13 or PAN-OS 8.1.0 to PAN-OS 8.1.3. Firewalls running PAN-OS 7.1 or PAN-OS 9.0 are NOT affected.

Available Updates

Firewalls with GlobalProtect enabled: PAN-OS 8.0.12 or a later PAN-OS 8.0 release and PAN-OS 8.1.2 or a later PAN-OS release. Firewalls without GlobalProtect enabled: PAN-OS 8.0.14 or a later PAN-OS 8.0 release and PAN-OS 8.1.4 or a later PAN-OS release.

Workarounds and Mitigations

Firewall administrators can create an explicit deny policy that blocks ports 28869/tcp and 28870/tcp on the affected L3 interface addresses. For more information on configuration, please refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLxl

Acknowledgements

n/a