This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto Reponse to CVE-2023-48795

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Reponse to CVE-2023-48795

Black_Sunglass
L0 Member

‎01-04-2024 08:26 PM

Hi all! I am curious whether  anyone knows if Palo Alto has any made any response to CVE-2023-48795? This vulnerabilities has been out for awhile and other vendors have already provided some types of response however, I am not able to find one from Palo Alto. 

 

FYI, CVE-2023-48795 also known as Terrapin which is found in the SSH protocol and affects SSH channel integrity, details refer to link below:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

https://terrapin-attack.com/

 

Response to CVE-2023-48795 from other vendors 

https://support.checkpoint.com/results/sk/sk181833

https://alas.aws.amazon.com/cve/html/CVE-2023-48795.html

 

6 people had this problem.
(1)
6 REPLIES 6

Usama-Ahmed
L1 Bithead

‎01-05-2024 12:18 PM - edited ‎01-05-2024 12:33 PM

I don't see a response on this but researching. 

0 Likes Likes

hamzah_pinadi
L1 Bithead

‎01-08-2024 09:42 PM

Hi,

 

security.paloaltonetworks just updated with this CVE:

 

https://security.paloaltonetworks.com/CVE-2023-48795

 

"Customers can resolve this issue by removing support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:

- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2

- https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-cli-quick-start/get-started-with-the-cli/refres...

This issue is completely resolved by following the recommended best practices for deploying PAN-OS (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr...). No additional PAN-OS fixes are planned in maintenance releases at this time."

(1)

Usama-Ahmed
L1 Bithead
In response to hamzah_pinadi

‎01-10-2024 06:10 AM

Thanks for the update. 

0 Likes Likes

Rajendra_S
L1 Bithead

‎01-11-2024 03:18 AM

May we know about CHACHA20-POLY1305 Cipher.
how can we check in CLI or WEB interface.
how do we enable to disable this?

0 Likes Likes

Usama-Ahmed
L1 Bithead
In response to Rajendra_S

‎01-11-2024 07:00 AM - edited ‎01-11-2024 07:11 AM

Hi Rajendra:

 

You can run the below command from a linux machine against the firewall or Panorama:

nmap --script ssh2-enum-algos -sV -p 22 <firewall IP>

 

That will tell you what ciphers are running on the device. Instructions on that are in this article:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE&lang=en_US%E2%80%A...

 

Once you have that information. You can use the article below to disable the undesired ciphers:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2

 

To alleviate CVE-2023-48795 my understanding is that you need to disable ciphers with -etm in the name. Which if you are on PAN-OS 10.1 would be the below list for MAC algorithms:

 

     umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
 
You should also see in PAN-OS 10.1 in encryption algorithms that you need to disable:
 
chacha20-poly1305@openssh.com
 
You can disable more weak ciphers as per your organizational standard to further harden. 
Reminder, when you use an SSH service profile it becomes an allow list of ciphers, and everything else is blocked. 
 
Note: You will have to restart the management SSH service from the CLI to apply the profile using the command "set ssh service-restart mgmt". It is recommended to do that after hours. 
 
 

 

Rajendra_S
L1 Bithead
In response to Usama-Ahmed

‎01-11-2024 04:55 PM

Hello Usman Ahmed,

Thank you for your response.

Is there any way to check from a Windows or MAC machine?

 

 

0 Likes Likes
  • 4124 Views
  • 6 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks