Lucene search

K
paloaltoPalo Alto Networks Product Security Incident Response TeamPAN-SA-2012-0017
HistoryApr 27, 2012 - 11:30 p.m.

OpenSSL Plain Text Recovery Attack Vulnerability

2012-04-2723:30:00
Palo Alto Networks Product Security Incident Response Team
securityadvisories.paloaltonetworks.com
14

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.1%

The OpenSSL library implementation is vulnerable to a plain text recovery attack by performing timing analysis of the time required to decrypt encrypted data. A detailed report of this issue is available at http://www.isg.rhul.ac.uk/~kp/dtls.pdf. (Ref #36017)
This vulnerability can theoretically result in plain text recovery of a web management UI session, leading to possible session hijack and control of the device.
This issue affects PAN-OS 4.1.2 and earlier; PAN-OS 4.0.9 and earlier; PAN-OS 3.1.11 and earlier.

Work around:
This issue affects the management interface of the device. Security appliance management best practices dictate that the management interface be isolated and strictly limited only to security administration personnel.

CPENameOperatorVersion
pan-osle4.1.2
pan-osle4.0.9
pan-osle3.1.11

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.1%