Palo Alto Reponse to CVE-2023-48795

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Reponse to CVE-2023-48795

L0 Member

Hi all! I am curious whether  anyone knows if Palo Alto has any made any response to CVE-2023-48795? This vulnerabilities has been out for awhile and other vendors have already provided some types of response however, I am not able to find one from Palo Alto. 

 

FYI, CVE-2023-48795 also known as Terrapin which is found in the SSH protocol and affects SSH channel integrity, details refer to link below:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

https://terrapin-attack.com/

 

Response to CVE-2023-48795 from other vendors 

https://support.checkpoint.com/results/sk/sk181833

https://alas.aws.amazon.com/cve/html/CVE-2023-48795.html

 

6 REPLIES 6

L1 Bithead

I don't see a response on this but researching. 

L1 Bithead

Hi,

 

security.paloaltonetworks just updated with this CVE:

 

https://security.paloaltonetworks.com/CVE-2023-48795

 

"Customers can resolve this issue by removing support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:

- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2

- https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-cli-quick-start/get-started-with-the-cli/refres...

This issue is completely resolved by following the recommended best practices for deploying PAN-OS (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr...). No additional PAN-OS fixes are planned in maintenance releases at this time."

Thanks for the update. 

L1 Bithead

May we know about CHACHA20-POLY1305 Cipher.
how can we check in CLI or WEB interface.
how do we enable to disable this?

Hi Rajendra:

 

You can run the below command from a linux machine against the firewall or Panorama:

nmap --script ssh2-enum-algos -sV -p 22 <firewall IP>

 

That will tell you what ciphers are running on the device. Instructions on that are in this article:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE&lang=en_US%E2%80%A...

 

Once you have that information. You can use the article below to disable the undesired ciphers:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2

 

To alleviate CVE-2023-48795 my understanding is that you need to disable ciphers with -etm in the name. Which if you are on PAN-OS 10.1 would be the below list for MAC algorithms:

 

     umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
 
You should also see in PAN-OS 10.1 in encryption algorithms that you need to disable:
 
chacha20-poly1305@openssh.com
 
You can disable more weak ciphers as per your organizational standard to further harden. 
Reminder, when you use an SSH service profile it becomes an allow list of ciphers, and everything else is blocked. 
 
Note: You will have to restart the management SSH service from the CLI to apply the profile using the command "set ssh service-restart mgmt". It is recommended to do that after hours. 
 
 

 

Hello Usman Ahmed,

Thank you for your response.

Is there any way to check from a Windows or MAC machine?

 

 

  • 2308 Views
  • 6 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!