topic How Palo Alto Networks Identifies GnuTLS Server Hello Session ID Heap Buffer Over Without Decryption in Advanced Threat Prevention Discussions

How Palo Alto Networks Identifies GnuTLS Server Hello Session ID Heap Buffer Over Without Decryption

Nono — Mon, 02 Jul 2018 07:55:15 GMT

HI All,

We detected Vulnerability: 36926 ID- GnuTLS Server Hello Session ID Heap Buffer Overflow in Palo Alto firewall. In our cutomers Firewall enviroment we not enable the SSL Descryption Feature.

Customers Queries us.. How and Why Palo Alto able detect the Vulnerability threat without the SSL?

Can Any one assist us on this?

Re: How Palo Alto Networks Identifies GnuTLS Server Hello Session ID Heap Buffer Over Without Decryp

Retired Member — Wed, 22 Aug 2018 09:29:58 GMT

This is due to the fact that the firewall, or anyone capturing the stream for that matter, can see the start of the server/client session exchange which is still unencrypted.

Looking at the vulnerability "GnuTLS Server Hello Session", the firewall detected something in the server hello. This is the part of an SSL stream where the server and client are still deciding on the way they are going to encrypt the actual session.