cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this article

L2 Linker
100% helpful (2/2)

Background

ROBOT [1] is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key.

 

Exposure

SSL Decryption and GlobalProtect are susceptible to this issue. Our engineers are working on a software fix. We recommend customers running PAN-OS to upgrade to a fixed version of software or use content update 757, and implement further mitigations through the configuration changes described below under “Mitigations”. PAN-OS impacted releases include 6.1.19 and prior, 7.1.14 and prior, 8.0.6-h3 and prior.

 

Fix and Mitigations

Software update

PAN-OS 6.1.20 and newer, 7.1.15 and newer,  and 8.0.7 and newer are fixed. Customers exposed to this vulnerability are invited to upgrade to a corrected version of PAN-OS.

 

Content Update

Palo Alto Networks has released content update 757, which includes a vulnerability signature (“TLS Network Security Protocol Information Disclosure Vulnerability – ROBOT”, #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway.

 

SSL Decryption Mitigation

Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA.

Screen Shot 2017-12-21 at 9.52.07 AM.png

 

GlobalProtect Mitigation

If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Eliptic Curve DSA algorithm as a safer alternative.

Note: A PAN-OS 7.1 known issue prevents properly formatted ECDSA CSR. As a result, the Global Protect ECDSA certificate could either be generated:

  • on appliance by temporarily importing the enterprise Certificate Authority in PAN-OS; or
  • on external enterprise PKI system then imported into PAN-OS along with its private key.

Screen Shot 2017-12-20 at 1.02.01 PM.png

 

See Also

PAN-OS Technical Documentation

 

Critical Issues Addressed In PAN-OS Releases

 

Best Practices For PAN-OS Upgrade

 

Reference

[1] https://robotattack.org/

 

Rate this article:
(1)
Who rated this article