DotW: SSLv2 Weak RSA Cipher Detected - DROWN vulnerability

by ‎03-14-2016 02:14 PM - edited ‎04-26-2016 11:50 AM (7,899 Views)

Lately we've seen more activity in the community about the SSLv2 Weak RSA Cipher Detected - DROWN Vulnerability issue recently discovered.

 

The following discussion starter from member santonic asks if PA covers the Drown attack.
dotw-2016-03-14_1.png

 

Does Palo Alto Networks detect the DROWN attack/vulnerability?  This is a common question being posted on the Live Community. The answer is both Yes and No. 

 

Let me explain:

Palo Alto Networks is able to detect the use of SSLv2 weak ciphers, which the DROWN attack uses. So, it does not directly detect the DROWN attack/vulnerability, but instead it simply uses the SSLv2 weak ciphers.  By blocking SSLv2 weak ciphers, you will block the DROWN attack, but you might also be blocking legitimate traffic as well.

 

The other good news is yes, Palo Alto Networks has had this coverage, detecting the use of SSLv2 weak ciphers, since Apps and Threats version 567, which was released 10 March 2016.

 

To read the release notes for this Apps and Threats version, click here:
Application and Threat Content Release Notes Version 567


You can obtain more information about this vulnerability from our Threat Vault site here:
https://threatvault.paloaltonetworks.com/Home/ThreatDetail/38924

 

 

dotw-2016-03-14_1a.png

 

We can see that the Palo Alto Networks Signature ID is 38924, and the Default action is alert.

You can also see the two CVEs listed:
CVE-2016-0703
CVE-2016-0800

 

Note: If you want to protect your network from SSLv2 Weak Cipher vulnerability, the default action is to only 'alert' and not to 'block'. If you would like to block this inside your security policy, then please follow these steps to ensure that you are protected.

 

Steps to block vulnerability

 

Step 1. Ensure that you have Apps and Threats version 567 or higher by going into the WebGUI > Device > Dynamic Updates. Under Applications and Threats, check the version installed. If you see it is downloaded, but not installed, please take time to install it to proceed, or else you will not be able to find it in the next steps.


dotw-2016-03-14_2.png

 

Step 2. When you know you have version 567 or later installed, please proceed to Objects > Vulnerability Protection. Inside there, you need to click on the Vulnerability profile that you are using to protect your network.


dotw-2016-03-14_3.png

 

Step 3. Click the Exceptions tab, then click 'Show all signatures' at the bottom left. Now, take the Signature ID from earlier, 38924, and click enter to display SSL Version 2 Weak RSA Cipher Detected.

 

dotw-2016-03-14_4.png

 2016-04-26_vul-ssl.pngVulnerability Protection Profile screen showing the detail after you are able to search for threat ID 38924 - SSL Version 2 Weak RSA Cipher DetectedStep 4. Now click default (alert) in the action field and change from default (alert) to drop. Click OK, then commit your policy for this change to take effect.


dotw-2016-03-14_5.png

 

I hope this helps you protect your network from the Drown vulnerability.

 

Please let us know if you have any questions or comments below.

 

Stay secure,
Joe Delio

Comments
by bantam
on ‎04-11-2016 12:05 PM

This documentation is nice but it doesn't at all match what I'm seeing in the PAN device I'm working on.  I'm running 576-3249 and I don't see 38924 anywhere when I try to create a threat action exception.  I also don't see any of the listed CVEs either. 

by
on ‎04-26-2016 11:51 AM

@bantam, I have been able to verify that this is there now, not sure how long it took to be available, but it is available, and even inserted a screen shot showing the detail.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors