Lucene search

K
paloaltoPalo Alto Networks Product Security Incident Response TeamPA-CVE-2020-1968
HistoryOct 13, 2021 - 4:00 p.m.

PAN-OS: Impact of the Raccoon Attack Vulnerability CVE-2020-1968

2021-10-1316:00:00
Palo Alto Networks Product Security Incident Response Team
securityadvisories.paloaltonetworks.com
40

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.3%

In versions of Palo Alto Networks PAN-OS software earlier than PAN-OS 10.0, the DHE cipher available for use in traffic decryption improperly shares a cryptographic secret across multiple TLS connections, which weakens its cryptographic strength. This is a prerequisite for successful exploitation of the Raccoon attack (CVE-2020-1968), which allows an attacker to eavesdrop on encrypted traffic over those TLS connections.

Components that are known to be impacted by this vulnerability:
SSL Forward-Proxy
SSL Inbound Inspection
GlobalProtect Portal
GlobalProtect Gateway
GlobalProtect Clientless VPN

Work around:
For all major versions of PAN-OS software earlier than PAN-OS 10.0 that use SSL Forward Proxy or SSL Inbound Proxy:

You must disable the DHE key exchange from the web interface. You can change this setting by selecting β€˜Objects > Decryption Profile > SSL Protocol Settings’ and then disable (deselect) the 'DHE’ option.

For all PAN-OS 9.0 and PAN-OS 9.1 versions using GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the following CLI command to disable the DHE key exchange:

β€œset shared ssl-tls-service-profile <ssl-tls-service-profile-name> protocol-settings keyxchg-algo-dhe no”

For PAN-OS 8.1.20 and later PAN-OS 8.1 versions using GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the same CLI command to disable the DHE key exchange:

β€œset shared ssl-tls-service-profile <ssl-tls-service-profile-name> protocol-settings keyxchg-algo-dhe no”

PAN-OS 10.0 and later PAN-OS versions are not impacted by this issue.

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.3%