Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.
Developed with ❤️ by the Bishop Fox Cosmos (formerly CAST) team.
Palo Alto's GlobalProtect portal, a feature of PAN-OS, has been the subject of several critical-severity vulnerabilities that can allow authorization bypass, unauthenticated remote code execution, etc. From an external perspective, it can be difficult to tell if you're running a patched version of PAN-OS since the GlobalProtect portal and management interface don't explicitly reveal their underlying software version.
To assist PAN-OS users in patching their firewalls, this scanner examines the Last-Modified
and ETag
HTTP response headers for several static web resources, and associates those values with specific PAN-OS releases. For example, note the ETag
in the following HTTP response from the GlobalProtect portal login page:
$ curl -skI https://example.com/global-protect/login.esp
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
ETag: "6e185d5daf9a"
Examining the last 8 characters of the ETag
gives us the hexadecimal epoch time 5d5daf9a
, represented as 1566420890
in decimal format. We can convert this epoch time to a human-readable format using the UNIX date
utility:
$ date -d @1566420890
Wed 21 Aug 2019 08:54:50 PM UTC
Using the attached version-table.txt
, we can determine that this instance of GlobalProtect portal is running on PAN-OS version 8.1.10
, and is therefore vulnerable to
CVE-2020-2034, an OS command injection vulnerability in GlobalProtect portal, and should consequently be patched.
$ awk '/Aug.*21.*2019/ {print $1}' version-table.txt
8.1.10
This scanner automates the process described above, suggesting an exact (or approximate) underlying PAN-OS version for a remote GlobalProtect portal or management interface. When multiple versions are associated with a given date, this tool will display all version matches as a comma-separated list; e.g, 7.1.24-h1,8.0.19-h1,8.1.9-h4
for 2019-08-15
.
$ git clone https://github.com/noperator/panos-scanner.git
Note that this script requires version-table.txt
in the same directory.
$ python3 panos-scanner.py -h
usage: Determine the software version of a remote PAN-OS target. Requires version-table.txt in the same directory.
[-h] [-v] [-s] [-c] -t TARGET
optional arguments:
-h, --help show this help message and exit
-v verbose output
-s stop after one exact match
-t TARGET https://example.com
In the following example, https://example.com/global-protect/portal/images/favicon.ico
has an HTTP response header that indicates that it's running PAN-OS version 8.0.10
.
$ python3 panos-scanner.py -s -t https://example.com | jq '.match'
{
"date": "2018-05-04",
"versions": [
"8.0.10"
],
"precision": "exact",
"resource": "global-protect/portal/images/favicon.ico"
}
Usage of this tool for testing targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Thanks @k4nfr3 for providing updates to the version table, and for building in the option to print a URL for Palo Alto's security advisories page.
- Shodan Facet Analysis — PAN-OS Version
- A Look at PAN-OS Versions with a Bit of R
- Palo Alto Networks Security Advisories
- Stop after one exact match
- Simplify output
- Support verbose CLI option
- Perhaps output JSON instead, to be processed with
jq
This project is licensed under the MIT License.