Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
About PSIRT Articles
Welcome. This is the place to come for the latest news from the Product Security Incident Response Team at Palo Alto Networks. Here you will find PSIRT related information and happenings, as well as security advisories published by the PSIRT team.
To receive notifications when new content is published here, click on Options and select Subscribe. You must be signed in to the Live Community in order to subscribe to content.
Security researchers at INRIA recently described an attack against information encrypted using older 64-bit block ciphers, such as 3DES and Blowfish, to successfully recover plaintext.
Background
ROBOT [1] is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key.
Exposure
SSL Decryption and GlobalProtect are susceptible to this issue. O ur engineers are working on a software fix. We recommend customers running PAN-OS to upgrade to a fixed version of software or use content update 757, and implement further mitigations through the configuration changes described below under “Mitigations”. PAN-OS impacted releases include 6.1.19 and prior, 7.1.14 and prior, 8.0.6-h3 and prior.
Fix and Mitigations
Software update
PAN-OS 6.1.20 and newer, 7.1.15 and newer, and 8.0.7 and newer are fixed. Customers exposed to this vulnerability are invited to upgrade to a corrected version of PAN-OS.
Content Update
Palo Alto Networks has released content update 757, which includes a vulnerability signature (“TLS Network Security Protocol Information Disclosure Vulnerability – ROBOT”, #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway.
SSL Decryption Mitigation
Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA.
GlobalProtect Mitigation
If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Eliptic Curve DSA algorithm as a safer alternative.
Note: A PAN-OS 7.1 known issue prevents properly formatted ECDSA CSR. As a result, the Global Protect ECDSA certificate could either be generated:
on appliance by temporarily importing the enterprise Certificate Authority in PAN-OS; or
on external enterprise PKI system then imported into PAN-OS along with its private key.
See Also
PAN-OS Technical Documentation
Critical Issues Addressed In PAN-OS Releases
Best Practices For PAN-OS Upgrade
Reference
[1] https://robotattack.org/
Palo Alto Networks has published three new Security Advisories.
Please see https://securityadvisories.paloaltonetworks.com for details about the following:
Information Disclosure in PAN-OS Management API Usage
Command Injection in PAN-OS
Privilege Escalation in PAN-OS
Palo Alto Networks has published 3 new Security Advisories. This includes information about TCP SACK Panic Findings in PAN-OS.
Please see https://securityadvisories.paloaltonetworks.com for details.
