Skip to main content

Palo Alto Networks Firewalls Leaking Usernames and Password Hashes

A significant number Palo Alto Networks (PAN) firewalls are leaking critical information onto the open internet. Its vital to immediately qualify that statement. The leaks result from firewall administrators enabling Client Probing and Host Probing within the User-ID settings without explicitly limiting such probes to a trusted "zone" or subnet. Username, domain name and password hash are provided to those initiating a properly formatted SMB connection to impacted firewalls. 

HD Moore, Chief Research Officer of Rapid7 and founder of MetaSploit, is responsible for the initial publication of the vulnerability.

Enabling such a configuration on a production firewall appliance, with its resulting leaks, results in a somewhat unusual situation where responsibility for the resulting vulnerability ought to be shared between security administrators and PAN developers. SMB probing should be filtered to trusted subnets; this is obvious. That said, such a setting should not be essentially encouraged through the user interface. It would be trivial to produce and error or warning message when saving of a configuration that allows SMB probing to the WAN. Clearly there was an oversight on the part of PAN here. 

To their credit, PAN has released an advisory to their customers, and has done so promptly. Even more to their credit, they cited Moore's original post in their own. Honesty and transparency of this nature is rare and should be applauded. Its tough to own up when you screw up, but PAN appears to have done just that.

Its a simple problem with a simple solution, admins. Disable Probing on your PAN appliance, or ensure that SMB probes are filtered to a secure subnet. An explicit how-to on that task is available here.