Misconfigured user identities for Palo Alto Networks firewalls are leaking onto the public web potentially exposing customer services including VPN and webmail, says security luminary HD Moore.

The mess is a result of a user control module being allowed to operate in untrusted zones, rather than a vulnerability in Palo's kit.

Moore said attackers could obtain user and domain names, plus encrypted NetNTLM password hashes.

"In summary, every time we triggered a PAN (Palo Alto Network) filter on a misconfigured appliance, our scanning node would receive an inbound authentication attempt by User-ID," Moore said in a post.

"This issue is not a vulnerability in the typical sense, but we felt that the impact was significant enough that it required notification and public disclosure.

"A number of PAN customers have enabled Client Probing and Host Probing within the User-ID settings, but have not limited these probes to trusted zones or the internal IP space of the organisation.

"As a result, an external attacker can trigger a security event on the PAN appliance, resulting in an outbound SMB connection from User-ID to the attacker's IP address."

Moore said the flaw can expose organisations to remote compromise, noting that attackers could use off-the-shelf tools to bounce authentication to external customer NTLMSSP infrastructure such as SSL VPNs, Outlook Web Access, and Microsoft IIS web servers.

The problem impacts scores of Windows systems management products and Moore had seen the same effects in other kit.

Palo Alto Networks' response is an advisory pointing users to best practice guidelines to harden their kit.

It recommended that users restrict user-IDs to trusted zones or IP ranges and that minimum account privileges were set.

Customers could also consult Rapid7's hardening guide to shore up their defences against account credential theft. ®