QID 730319

Date Published: 2021-12-30

QID 730319: Palo Alto Networks (PAN-OS) Impact of the Raccoon Attack Vulnerability (PAN-154936)

PAN OS is the software that runs all Palo Alto Networks next-generation firewalls.

In versions of Palo Alto Networks PAN-OS software earlier than PAN-OS 10.0, the DHE cipher available for use in traffic decryption improperly shares a cryptographic secret across multiple TLS connections, which weakens its cryptographic strength. This is a prerequisite for successful exploitation of the Raccoon attack (CVE-2020-1968), which allows an attacker to eavesdrop on encrypted traffic over those TLS connections.

Affected Versions:
PAN-OS 9.1 all versions
PAN-OS 9.0 all versions
PAN-OS 8.1 all versions


QID Detection Logic (Authenticated):

This QID looks for the vulnerable version of PAN-OS

NOTE:This issue is only applicable to PAN-OS firewalls configured to use SSL Forward Proxy, SSL Inbound Inspection, GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN and where the usage of the DHE key exchange is not disabled.

In versions of Palo Alto Networks PAN-OS software earlier than PAN-OS 10.0, the DHE cipher available for use in traffic decryption improperly shares a cryptographic secret across multiple TLS connections, which weakens its cryptographic strength. This is a prerequisite for successful exploitation of the Raccoon attack (CVE-2020-1968), which allows an attacker to eavesdrop on encrypted traffic over those TLS connections.

  • CVSS V3 rated as Medium - 3.7 severity.
  • CVSS V2 rated as Medium - 4.3 severity.
    • Solution

    Refer to PAN-154936 for more information about patching this vulnerability.



    Workaround:
    For all major versions of PAN-OS software earlier than PAN-OS 10.0 that use SSL Forward Proxy or SSL Inbound Proxy: You must disable the DHE key exchange from the web interface. You can change this setting by selecting Objects > Decryption Profile > SSL Protocol Settings and then disable (deselect) the 'DHE option. For all PAN-OS 9.0 and PAN-OS 9.1 versions using GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the following CLI command to disable the DHE key exchange: "set shared ssl-tls-service-profile (ssl-tls-service-profile-name) protocol-settings keyxchg-algo-dhe no" For PAN-OS 8.1.20 and later PAN-OS 8.1 versions using GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the same CLI command to disable the DHE key exchange: "set shared ssl-tls-service-profile (ssl-tls-service-profile-name) protocol-settings keyxchg-algo-dhe no" PAN-OS 10.0 and later PAN-OS versions are not impacted by this issue.

    Vendor References

    CVEs related to QID 730319

    CVE-2020-1968 |
    Software Advisories
    Advisory ID Software Component Link
    PAN-154936 URL Logo security.paloaltonetworks.com/CVE-2020-1968
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].