===================================================================== CERT-Renater Note d'Information No. 2021/VULN538 _____________________________________________________________________ DATE : 15/10/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): PAN-OS versions 8.1, 9.0, 9.1. ===================================================================== https://securityadvisories.paloaltonetworks.com/CVE-2020-1968 _____________________________________________________________________ TITLE: CVE-2020-1968 PAN-OS: Impact of the Raccoon Attack Vulnerability CVE-2020-1968 Palo Alto Networks Security Advisories / CVE-2020-1968 CVE-2020-1968 PAN-OS: Impact of the Raccoon Attack Vulnerability CVE-2020-1968 Severity 3.7 . LOW Attack Vector NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published 2021-10-13 Updated 2021-10-13 Reference PAN-154936 Discovered externally Description In versions of Palo Alto Networks PAN-OS software earlier than PAN-OS 10.0, the DHE cipher available for use in traffic decryption improperly shares a cryptographic secret across multiple TLS connections, which weakens its cryptographic strength. This is a prerequisite for successful exploitation of the Raccoon attack (CVE-2020-1968), which allows an attacker to eavesdrop on encrypted traffic over those TLS connections. Components that are known to be impacted by this vulnerability: Web Interface SSL Forward-Proxy SSL Inbound Inspection GlobalProtect Portal GlobalProtect Gateway GlobalProtect Clientless VPN This issue impacts all versions of PAN-OS 8.1, all versions of PAN-OS 9.0, and all versions of PAN-OS 9.1. This issue does not impact any version of PAN-OS 10.0 or any later PAN-OS versions. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue. Product Status Versions Affected Unaffected Prisma Access 2.2 None >= 2.2 Prisma Access 2.1 all PAN-OS 10.1 None 10.1.* PAN-OS 10.0 None 10.0.* PAN-OS 9.1 9.1.* PAN-OS 9.0 9.0.* PAN-OS 8.1 8.1.* Required Configuration for Exposure This issue is only applicable to PAN-OS firewalls configured to use SSL Forward Proxy, SSL Inbound Inspection, GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN and where the usage of the DHE key exchange is not disabled. Severity: LOW CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-203 Information Exposure Through Discrepancy CWE-326 Inadequate Encryption Strength Solution Apply any of the workarounds to mitigate the risk of CVE-2020-1968. This issue is fixed in PAN-OS 10.0.0 and all later PAN-OS versions. This issue is fixed in Prisma Access 2.2 and all later Prisma Access versions. Workarounds and Mitigations For all major versions of PAN-OS software earlier than PAN-OS 10.0 that use SSL Forward Proxy or SSL Inbound Proxy: You must disable the DHE key exchange from the web interface. You can change this setting by selecting 'Objects > Decryption Profile > SSL Protocol Settings' and then disable (deselect) the 'DHE' option. For all PAN-OS 9.0 and PAN-OS 9.1 versions using web interface, GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the following CLI command to disable the DHE key exchange: "set shared ssl-tls-service-profile cert certificate protocol-settings keyxchg-algo-dhe no" For PAN-OS 8.1.20 and later PAN-OS 8.1 versions using web interface, GlobalProtect Portal, GlobalProtect Gateway, or GlobalProtect Clientless VPN, you can use the same CLI command to disable the DHE key exchange: "set shared ssl-tls-service-profile cert certificate protocol-settings keyxchg-algo-dhe no" PAN-OS 10.0 and later PAN-OS versions are not impacted by this issue. Timeline 2021-10-13 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================