Distinctive: A bug in the steerage dashboard of Palo Alto Networks (PAN) uncovered 1000’s of buyer assist tickets to an unauthorized distinctive, BleepingComputer has found out.
The uncovered particulars concerned, names and (group) name knowledge of the person or lady creating steerage tickets, conversations involving Palo Alto Networks workers associates and the shopper.
Proof shared with BleepingComputer suggests some help tickets contained attachments—like firewall logs, configuration dumps, and different debugging property shared with the PAN workers by prospects.
Palo Alto Networks, a prime service supplier of cybersecurity and networking gadgets and firewalls, tells BleepingComputer it has now set the difficulty—about eight occasions quickly after it was famous.
How may I assist you these days?
A misconfiguration within the assist program of Palo Alto Networks allowed delicate info and details disclosure —letting a buyer entry private help tickets from different companies.
A PAN buyer who prefers to maintain on being nameless came upon the issue this month and reported it to Palo Alto Networks workers, who’ve now fastened the problem.
The patron extra suggested BleepingComputer that they might see about 1,989 steerage situations that didn’t belong to them or their agency, and shared screenshots testifying to the reality:
A few of these assist circumstances skilled file attachments these as firewall logs, configuration dumps, group security group (NSG) layouts, photos of mistake messages, and comparable inside knowledge recordsdata shared by prospects with Palo Alto Networks for troubleshooting causes.
The screenshot shows a “down load” icon upcoming to each file. Discover, the client tipping us off didn’t share any of the info recordsdata with BleepingComputer and claims not downloading the knowledge both.
Another data uncovered within the assist tickets included:
- Make contact with title, title, e mail deal with and phone amount of the client creating the tickets
- Contents of conversations amongst PAN assist employees and shoppers
- PAN Merchandise serial vary and design
- State of affairs portions, material line, and request severity (Vital, Substantial, Medium, Decreased)
“The primary issues began after I registered for a Palo Alto assist account on the tenth of March,” the unnamed shopper tells BleepingComputer.
“Simply after logging in, my browser would get caught in a redirect loop when hoping to entry Palo Alto knowledgebase, however further importantly, it was returning 403 insufficient permissions when making an attempt to login to Palo Alto Hub, from the place Cloud Identification Motor may very well be mounted.”
The customer raised this problem with PAN steerage and was defined to their get hold of to the Palo Alto Hub was “preset.”
“Having stated that, to my shock, after I logged in to the steerage portal, I used to be able to see not solely the steerage circumstances I raised, but in addition ~1990 assist circumstances below ‘My Agency’s Circumstances’ tab,” extra factors out the patron.
Palo Alto Networks: ‘no information was downloaded or altered’
On realizing the accessibility blunder, the client tells BleepingComputer that they promptly notified Palo Alto Networks, each equally by elevating a “important help request” and getting in touch with choose PAN members on LinkedIn.
BleepingComputer achieved out to PAN to higher comprehend the scope and results of this knowledge leak.
PAN says that no information was downloaded and signifies that the scope of the leak remained confined to only one buyer:
“We’ve got been notified of an downside that allowed an authorized shopper to have a look at a smaller subset of steerage situations, which they usually wouldn’t be capable of have a look at,” a Palo Alto Networks spokesperson suggested BleepingComputer.
“We instantly initiated an investigation and decided it was on account of a permission misconfiguration mistake in a assist course of.”
“Our examination confirmed no knowledge was downloaded or altered, and the problem was promptly remediated.”
Take word, then again, the bug handle took about eight days, after which the aforementioned buyer’s entry to the 1,900 unrelated tickets was revoked.
PAN didn’t treatment if it notified prospects whose data was impacted by the information leak bug, or if it was making ready on performing so.
Presently, the corporate suggests, there isn’t any purchaser motion crucial and that it’s assured that its merchandise and services are safe.