During a security assessment, ThreatLabs observed noteworthy patterns in the (exported) configuration files of Palo Alto firewalls. In the default setup, secrets are encrypted using a relatively strong algorithm (i.e., AES256-CBC) but with a master key that is publicly known. More importantly, the specific secret is also stored using a weak hashing algorithm (i.e., SHA1). As a result, secrets may potentially be easily deduced using a password recovery utility (e.g., hashcat).
Encrypted secrets/credentials are stored within the configuration together with a (plain) SHA1 hash of the input when AES256-CBC mode is used as encryption-level. This is particularly problematic for types such as, but not limited to: "bind-password", "password" and "wmi-password". Since SHA1 hashes do not require substantial computational power, it allows for password cracking attacks against these stored values.
This has been observed with PAN-OS 10.1.7 and 11.0.0, but we suspect that all PAN-OS versions are affected when they use AES256-CBC mode as "encryption-level", which is also the default mode.SHA1 usage - example (output abbreviated for readability):
# show shared server-profile ldap
$ echo -ne 'x9274bKW29DwT+bg1eDbQ+k3lg0=' | base64 -d | xxd -p
$ echo -ne 'ThreatLabs' | openssl sha1
In this case, due to the use of the default key, decryption can also be easily performed using the publicly known master key (and salt):
$ echo '6M1Jh9EsdCK58ui82LGVrA==' | openssl aes-256-cbc -d -K 8103850245b9b48f0428c5b74e2615528103850245b9b48f0428c5b74e261552 -iv 0 -base64 -d -A
Note: it is generally not recommended to use a static initialization vector (IV).
Palo Alto has informed us that they will not address the specific weakness in the AES256-CBC implementation because an additional encryption level was introduced in modern PAN-OS versions. Furthermore, they have updated their documentation to advise users to transition. Lastly, they plan to establish the enhanced encryption level as the default in upcoming (major) software versions.
In addition, it is advised to configure a unique (non-default) master key and rotate it regularly.
Palo Alto conducted a review for technical accuracy.
Request for publication postponement.
Proposal for information publication.
Tests conducted with PAN-OS 11.0.1 indicate no changes in the default behavior.
Palo Alto has indicated that modern PAN-OS versions utilize SHA-256 instead of SHA1.