Advisory - PAN-OS - AES256-CBC & SHA1
During a security assessment, ThreatLabs observed noteworthy patterns in the (exported) configuration files of Palo Alto firewalls. In the default setup, secrets are encrypted using a relatively strong algorithm (i.e., AES256-CBC) but with a master key that is publicly known. More importantly, the specific secret is also stored using a weak hashing algorithm (i.e., SHA1). As a result, secrets may potentially be easily deduced using a password recovery utility (e.g., hashcat).
Details
Encrypted secrets/credentials are stored within the configuration together with a (plain) SHA1 hash of the input when AES256-CBC mode is used as encryption-level. This is particularly problematic for types such as, but not limited to: "bind-password", "password" and "wmi-password". Since SHA1 hashes do not require substantial computational power, it allows for password cracking attacks against these stored values.
This has been observed with PAN-OS 10.1.7 and 11.0.0, but we suspect that all PAN-OS versions are affected when they use AES256-CBC mode as "encryption-level", which is also the default mode.
SHA1 usage - example (output abbreviated for readability):# show shared server-profile ldap
bind-password -AQ==x9274bKW29DwT+bg1eDbQ+k3lg0=6M1Jh9EsdCK58ui82LGVrA==
$ echo -ne 'x9274bKW29DwT+bg1eDbQ+k3lg0=' | base64 -d | xxd -p
c7ddbbe1b296dbd0f04fe6e0d5e0db43e937960d
$ echo -ne 'ThreatLabs' | openssl sha1
SHA1(stdin)= c7ddbbe1b296dbd0f04fe6e0d5e0db43e937960d
In this case, due to the use of the default key, decryption can also be easily performed using the publicly known master key (and salt):
$ echo '6M1Jh9EsdCK58ui82LGVrA==' | openssl aes-256-cbc -d -K 8103850245b9b48f0428c5b74e2615528103850245b9b48f0428c5b74e261552 -iv 0 -base64 -d -A
ThreatLabs
Note: it is generally not recommended to use a static initialization vector (IV).
Vendor response
Palo Alto has informed us that they will not address the specific weakness in the AES256-CBC implementation because an additional encryption level was introduced in modern PAN-OS versions. Furthermore, they have updated their documentation to advise users to transition. Lastly, they plan to establish the enhanced encryption level as the default in upcoming (major) software versions.
Recommendations
- Ensure that configuration files are not stored in insecure locations.
- Prevent the exposure or publication of confidential information, including secrets, even if they are hashed or encrypted.
- Consider implementing AES in GCM mode (introduced in PAN-OS 10.0).
In addition, it is advised to configure a unique (non-default) master key and rotate it regularly.
Timeline
Publication of this advisory
October 9, 2023Response from Palo Alto
Palo Alto conducted a review for technical accuracy.
Publication proposal
September 29, 2023Response from Palo Alto
Status inquiry
September 25, 2023Response from Palo Alto
Status inquiry
August 22, 2023Response from Palo Alto
Status inquiry
July 28, 2023Response from Palo Alto
Request for publication postponement.
Status inquiry
July 11, 2023Proposal for information publication.
Response from Palo Alto
Status inquiry
July 5, 2023Dispute
June 30, 2023Tests conducted with PAN-OS 11.0.1 indicate no changes in the default behavior.
Response from Palo Alto
Palo Alto has indicated that modern PAN-OS versions utilize SHA-256 instead of SHA1.
Status inquiry
June 22, 2023Response from Palo Alto
Status inquiry
April 13, 2023Status inquiry
April 4, 2023Response from Palo Alto
Status inquiry
March 16, 2023Response from Palo Alto
Initial notification
February 24, 2023Switch timeline