https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572559#M492 <P>Thanks for the update.&nbsp;</P> Wed, 10 Jan 2024 14:10:11 GMT Usama-Ahmed 2024-01-10T14:10:11Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/571858#M489 <P>Hi all! I am curious whether&nbsp; anyone knows if <SPAN>Palo Alto has any made any response to&nbsp;CVE-2023-48795? This vulnerabilities has been out for awhile and other vendors have already provided some types of response however, I am not able to find one from Palo Alto.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>FYI, </SPAN>CVE-2023-48795 also known as Terrapin which is found in the SSH protocol and affects SSH channel integrity, details refer to link below:</P> <P><A href="https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795__;!!KDf9ebxpXGLC!HtQHluwjyktmn2ar_VItyjiRnxbhVY742T6ImLGovIgC7cDngZCthOA0wTY40KkdMe-DMqdKRJlxOBwoXj-vAba10qJTmNDg$" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795</A></P> <P><A href="https://urldefense.com/v3/__https:/terrapin-attack.com/__;!!KDf9ebxpXGLC!HtQHluwjyktmn2ar_VItyjiRnxbhVY742T6ImLGovIgC7cDngZCthOA0wTY40KkdMe-DMqdKRJlxOBwoXj-vAba10jQ0KNWH$" target="_blank">https://terrapin-attack.com/</A></P> <P>&nbsp;</P> <P>Response to CVE-2023-48795 from other vendors&nbsp;</P> <P><A href="https://urldefense.com/v3/__https:/support.checkpoint.com/results/sk/sk181833__;!!KDf9ebxpXGLC!HtQHluwjyktmn2ar_VItyjiRnxbhVY742T6ImLGovIgC7cDngZCthOA0wTY40KkdMe-DMqdKRJlxOBwoXj-vAba10llqxxn8$" target="_blank">https://support.checkpoint.com/results/sk/sk181833</A></P> <P><A href="https://alas.aws.amazon.com/cve/html/CVE-2023-48795.html" target="_blank">https://alas.aws.amazon.com/cve/html/CVE-2023-48795.html</A></P> <P>&nbsp;</P> Fri, 05 Jan 2024 04:26:09 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/571858#M489 Black_Sunglass 2024-01-05T04:26:09Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/571954#M490 <P>I don't see a response on this but researching.&nbsp;</P> Fri, 05 Jan 2024 20:33:50 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/571954#M490 Usama-Ahmed 2024-01-05T20:33:50Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572254#M491 <P>Hi,</P> <P>&nbsp;</P> <P>security.paloaltonetworks just updated with this CVE:</P> <P>&nbsp;</P> <P><A href="https://security.paloaltonetworks.com/CVE-2023-48795" target="_blank">https://security.paloaltonetworks.com/CVE-2023-48795</A></P> <P>&nbsp;</P> <P style="display: block; margin-block: 1em; margin-inline: 0px; color: #727272; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">"Customers can resolve this issue by removing support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:</P> <P style="display: block; margin-block: 1em; margin-inline: 0px; color: #727272; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">-<SPAN>&nbsp;</SPAN><A class="linkified" style="text-decoration: none; color: #fa582d;" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2</A></P> <P style="display: block; margin-block: 1em; margin-inline: 0px; color: #727272; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">-<SPAN>&nbsp;</SPAN><A class="linkified" style="text-decoration: none; color: #fa582d;" href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection</A></P> <P style="display: block; margin-block: 1em; margin-inline: 0px; color: #727272; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">This issue is completely resolved by following the recommended best practices for deploying PAN-OS (<A class="linkified" style="text-decoration: none; color: #fa582d;" href="https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices</A>). No additional PAN-OS fixes are planned in maintenance releases at this time."</P> Tue, 09 Jan 2024 05:42:49 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572254#M491 hamzah_pinadi 2024-01-09T05:42:49Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572559#M492 <P>Thanks for the update.&nbsp;</P> Wed, 10 Jan 2024 14:10:11 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572559#M492 Usama-Ahmed 2024-01-10T14:10:11Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572697#M493 <P>May we know about&nbsp;<SPAN>CHACHA20-POLY1305 Cipher.<BR />how can we check in CLI or WEB interface.<BR />how do we enable to disable this?</SPAN></P> Thu, 11 Jan 2024 11:18:31 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572697#M493 Rajendra-S 2024-01-11T11:18:31Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572737#M494 <P>Hi Rajendra:</P> <P>&nbsp;</P> <P>You can run the below command from a linux machine against the firewall or Panorama:</P> <P style="margin: 0in; font-family: Calibri; font-size: 12.0pt;">nmap --script ssh2-enum-algos -sV -p 22 &lt;firewall IP&gt;</P> <P style="margin: 0in; font-family: Calibri; font-size: 12.0pt;">&nbsp;</P> <P>That will tell you what ciphers are running on the device. Instructions on that are in this article:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <P>Once you have that information. You can use the article below to disable the undesired ciphers:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2</A></P> <P>&nbsp;</P> <P>To alleviate&nbsp;CVE-2023-48795 my understanding is that you need to disable ciphers with -etm in the name. Which if you are on PAN-OS 10.1 would be the below list for MAC algorithms:</P> <P>&nbsp;</P> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">&nbsp; &nbsp; &nbsp;umac-64-etm@openssh.com</SPAN></DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">| &nbsp; &nbsp; &nbsp; umac-128-etm@openssh.com</SPAN></DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">| &nbsp; &nbsp; &nbsp; hmac-sha2-256-etm@openssh.com</SPAN></DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">| &nbsp; &nbsp; &nbsp; hmac-sha2-512-etm@openssh.com</SPAN></DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">| &nbsp; &nbsp; &nbsp; hmac-sha1-etm@openssh.com</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV>You should also see in PAN-OS 10.1 in encryption algorithms that you need to disable:</DIV> <DIV>&nbsp;</DIV> <DIV><SPAN>chacha20-poly1305@openssh.com</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">You can disable more weak ciphers as per your organizational standard to further harden.&nbsp;</SPAN></DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">Reminder, when you use an SSH service profile it becomes an allow list of ciphers, and everything else is blocked.&nbsp;</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN data-ogsc="rgb(0, 0, 0)">Note: You will have to restart the management SSH service from the CLI to apply the profile using the command "<STRONG>set ssh service-restart mgmt</STRONG>". It is recommended to do that after hours.&nbsp;</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV>&nbsp;</DIV> <P>&nbsp;</P> Thu, 11 Jan 2024 15:11:57 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572737#M494 Usama-Ahmed 2024-01-11T15:11:57Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572802#M495 <P>Hello Usman Ahmed,</P> <P>Thank you for your response.</P> <P>Is there any way to check from a Windows or MAC machine?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 12 Jan 2024 00:55:53 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/572802#M495 Rajendra-S 2024-01-12T00:55:53Z https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/1226888#M710 <P>Hey Rajenda,</P> <P>If you need to use any other OS other than Linux, please follow the KB linked below:</P> <P>How to view the SSH cipher suites supported on the Firewall using non-Palo Alto Networks tools<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WoTCAU" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WoTCAU</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 18 Apr 2025 09:28:31 GMT https://live.paloaltonetworks.com/t5/custom-signatures/palo-alto-reponse-to-cve-2023-48795/m-p/1226888#M710 aadamczyk 2025-04-18T09:28:31Z