Skip to main content

Security Alert: Palo Alto Networks UDP Syslog Exploit

March 24, 2015

Summary

An optional new feature for identifying users by means of syslog messages was introduced in PAN-OS 6.0 (January 2014).  This feature is not enabled out-of-box, however unsafe configurations of the User-ID syslog listener on Palo Alto Networks firewalls can allow an attacker to inject arbitrary user-to-IP mappings, including impersonating any other user on the network or de-authenticating valid users.  Attacker sophistication required to execute this attack is made very low by the availability of Metasploit modules.  Accuvant and FishNet Security MSS has worked with Palo Alto Networks to establish best practice recommendations for configuring User-ID Syslog Server Monitoring.

Technical

PAN-OS 6.0 introduces a new feature enabling the User-ID agent (both integrated and dedicated Windows client) to obtain user identities from a wide array of Unix-like platforms by means of syslog message parsing.  In short, these devices are configured to send their syslog messages over the network to the User-ID agents where they are then matched against regular expressions which extract both the IP and username.  An example of one such message is generated by sshd on an Ubuntu box:

Apr 23 15:59:39 servername sshd[13866]: Accepted publickey for jsmith from 192.168.1.150 port 4514 ssh2

The Windows software-based User-ID Agent supports both UDP and TCP delivery of the syslog messages, while the integrated (“agentless”) implementation supports UDP and SSL.  Due to the send-and-forget nature of UDP transport, the flow of syslog messages is unidirectional and received logs cannot be verified to have been sent from a trusted syslog server.  The configuration of a Palo Alto Networks syslog listener allows for specification of which IP addresses are expected to transmit logs, and syslog traffic from any other source will not be evaluated for parsing.  Still, if an attacker were able to discover the IP address of one of the trusted syslog servers, they can spoof their source IP address to match.  Consequently, fake syslog packets can be crafted with a source of the trusted server and they will be regex parsed as if they were authentic.

Recommendations

After verifying the attack proof of concept in our lab, Accuvant and FishNet Security MSS notified the vendor, and a joint conclusion allows for two options to mitigate this type of attack:

1) SSL transport of syslog is preferred, or in the case of the Windows User-ID Agent, administrators should use TCP transport.  Both protocols have the added benefit of bi-directionality to verify the IP address of the server which transmits the messages, and SSL adds yet another layer of security.

2) If a syslog sender does not support transmitting syslog messages via TCP or SSL, an isolated VLAN should be dedicated for the network which exchanges syslog messages.

Palo Alto Networks has also updated their documentation to reflect these security best-practices:

Pan Documentation

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/user-id/configure-user-id-to-receive-user-mappings-from-a-syslog-sender.html

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/user-id/configure-user-id-to-receive-user-mappings-from-a-syslog-sender.html

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/user-id-features/user-id-integration-with-syslog.html

Accuvant and FishNet Security recommend that clients utilizing Palo Alto Networks OS, using this feature, consider these recommendations during their next change control window to provide mitigation of the above described exploit.


    John Petrucci

By: John Petrucci

Senior Security Engineer

See More

Related Blogs

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

December 13, 2017

Cyber Threat Intelligence Requires Commitment

It’s been said that in a breakfast of bacon and eggs, the chicken is involved but the pig is committed. This saying is relevant when implementing a cy...

See Details

April 19, 2010

Using WIPS in Wireless Networks – Protection and Performance

We are often asked by customers about the relative value of implementing WIPS (Wireless Intrusion Prevention/Protection Systems) in their enterprise n...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

June 16, 2016

Cloud Security Services

Movement to the cloud is a necessity for organizations. Learn how Optiv’s comprehensive suite of cloud solutions can help you get there securely.

See Details

February 08, 2018

Palo Alto Tech Tips for Global Protect Cloud Service

Learn how to reduce the complexity and costs of securing your remote networks and mobile users.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.