3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
72.3%
In versions of Palo Alto Networks PAN-OS software earlier than PAN-OS 10.0, the DHE cipher available for use in traffic decryption improperly shares a cryptographic secret across multiple TLS connections, which weakens its cryptographic strength. This is a prerequisite for successful exploitation of the Raccoon attack (CVE-2020-1968), which allows an attacker to eavesdrop on encrypted traffic over those TLS connections.
Components that are known to be impacted by this vulnerability:
SSL Forward-Proxy
SSL Inbound Inspection
GlobalProtect Portal
GlobalProtect Gateway
GlobalProtect Clientless VPN
Work around:
For all major versions of PAN-OS software earlier than PAN-OS 10.0 that use SSL Forward Proxy or SSL Inbound Proxy:
You must disable the DHE key exchange from the web interface. You can change this setting by selecting βObjects > Decryption Profile > SSL Protocol Settingsβ and then disable (deselect) the 'DHEβ option.
For all PAN-OS 9.0 and PAN-OS 9.1 versions using GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the following CLI command to disable the DHE key exchange:
βset shared ssl-tls-service-profile <ssl-tls-service-profile-name> protocol-settings keyxchg-algo-dhe noβ
For PAN-OS 8.1.20 and later PAN-OS 8.1 versions using GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the same CLI command to disable the DHE key exchange:
βset shared ssl-tls-service-profile <ssl-tls-service-profile-name> protocol-settings keyxchg-algo-dhe noβ
PAN-OS 10.0 and later PAN-OS versions are not impacted by this issue.
CPE | Name | Operator | Version |
---|---|---|---|
pan-os | eq | 9.1.* | |
pan-os | eq | 9.0.* | |
pan-os | eq | 8.1.* | |
prisma access | eq | Preferred | |
prisma access | eq | Preferred |
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
72.3%