OpenSSL Man-in-the-middle vulnerability

2014-06-09T07:00:00
ID PAN-SA-2014-0003
Type paloalto
Reporter Palo Alto Networks Product Security Incident Response Team
Modified 2014-06-09T07:00:00

Description

The Palo Alto Networks product security engineering team has completed analysis of our products' exposure to the vulnerabilities described in the OpenSSL Security Advisory dated June 5th, 2014.  Of the 7 CVEs highlighted in the advisory, only CVE-2014-0224 is relevant to our software.  The remaining vulnerabilities to not apply because we do not use or support use of Datagram Transport Layer Security (DTLS), nor do we use anonymous Elliptic curve Diffie-Hellman (ECDH) on our software clients.  Our exposure to CVE-2014-0224 is limited because both client and server must be vulnerable.  While our client-side is vulnerable, the server-side is not.  This limits exposure to potential man-in-the-middle (MITM) attacks only to sessions our software initiates with servers outside of our control that are running a vulnerable version of OpenSSL (OpenSSL 1.0.1 and 1.0.2-beta1).  As such, services that may be vulnerable to MITM depending on customer configuration include: firewall services using SSL configured to use a proxy running a vulnerable OpenSSL server, syslog over SSL to a syslog server running a  vulnerable OpenSSL server, and the User-ID agent connecting to a directory server running a vulnerable OpenSSL server.  GlobalProtect is not vulnerable because our portal and gateway servers are not vulnerable.

In response to these issues, Palo Alto Networks is including a patch to the OpenSSL software used across our products with the next scheduled maintenance release for all supported versions of PAN-OS / Panorama, User-ID agent, and GlobalProtect.  Users can mitigate their exposure by ensuring that any servers described above are not running vulnerable versions of OpenSSL (1.0.1 and 1.0.2-beta1).  If customers have any further questions related to product exposure to this OpenSSL security advisory, they can contact support. This issue requires an attacker to be able to act as a man-in-the-middle to certain firewall services, such as syslog, User-ID agent, or services between PAN-OS / Panorama and a proxy. The issue further requires that the servers that PAN-OS / Panorama initiates connections with to perform these services are also vulnerable to CVE-2014-0224.

GlobalProtect VPN is not vulnerable, as the PAN-OS Portal and Gateway servers are not vulnerable. This issue affects All versions of PAN-OS / Panorama.

Work around: Services running over SSL from PAN-OS / Panorama to 3rd party servers (i.e. syslog server, directory services server) are only vulnerable to a possible MITM attack if the server is also vulnerable to CVE-2014-0224. Ensure that the 3rd party service's server is not running a vulnerable version of OpenSSL (1.0.1 and 1.0.2-beta1).