During a security assessment, ThreatLabs observed noteworthy patterns in the (exported) configuration files of Palo Alto firewalls. In the default setup, secrets are encrypted using a relatively strong algorithm (i.e., AES256-CBC) but with a master key that is publicly known. More importantly, the specific secret is also stored using a weak hashing algorithm (i.e., SHA1). As a result, secrets may potentially be easily deduced using a password recovery utility (e.g., hashcat).
Encrypted secrets/credentials are stored within the configuration together with a (plain) SHA1 hash of the input when AES256-CBC mode is used as encryption-level. This is particularly problematic for types such as, but not limited to: "bind-password", "password" and "wmi-password". Since SHA1 hashes do not require substantial computational power, it allows for password cracking attacks against these stored values.
This has been observed with PAN-OS 10.1.7 and 11.0.0, but we suspect that all PAN-OS versions are affected when they use AES256-CBC mode as "encryption-level", which is also the default mode.
SHA1 usage - example (output abbreviated for readability):
# show shared server-profile ldap
bind-password -AQ==x9274bKW29DwT+bg1eDbQ+k3lg0=6M1Jh9EsdCK58ui82LGVrA==
$ echo -ne 'x9274bKW29DwT+bg1eDbQ+k3lg0=' | base64 -d | xxd -p
c7ddbbe1b296dbd0f04fe6e0d5e0db43e937960d
$ echo -ne 'ThreatLabs' | openssl sha1
SHA1(stdin)= c7ddbbe1b296dbd0f04fe6e0d5e0db43e937960d
In this case, due to the use of the default key, decryption can also be easily performed using the publicly known master key (and salt):
$ echo '6M1Jh9EsdCK58ui82LGVrA==' | openssl aes-256-cbc -d -K 8103850245b9b48f0428c5b74e2615528103850245b9b48f0428c5b74e261552 -iv 0 -base64 -d -A
ThreatLabs
Note: it is generally not recommended to use a static initialization vector (IV).
Palo Alto has informed us that they will not address the specific weakness in the AES256-CBC implementation because an additional encryption level was introduced in modern PAN-OS versions. Furthermore, they have updated their documentation to advise users to transition. Lastly, they plan to establish the enhanced encryption level as the default in upcoming (major) software versions.
In addition, it is advised to configure a unique (non-default) master key and rotate it regularly.
Palo Alto conducted a review for technical accuracy.
Request for publication postponement.
Proposal for information publication.
Tests conducted with PAN-OS 11.0.1 indicate no changes in the default behavior.
Palo Alto has indicated that modern PAN-OS versions utilize SHA-256 instead of SHA1.