Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0035.2 A vulnerability has been identified in Palo Alto PAN-OS 14 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Palo Alto PAN-OS Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-17841 Revision History: March 14 2018: Updated source text with patched versions & mitigation January 18 2018: Initial Release OVERVIEW A vulnerability has been identified in Palo Alto PAN-OS prior to version 7.1.15 and 8.0.7. [1] IMPACT The vendor has provided the following details regarding the vulnerability: "ROBOT is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key. (PAN-89936 / CVE-2017-17841)" [1] MITIGATION The vendor recommends users upgrade to the latest versions of PAN-OS to address this issue, comprising 6.1.20, 7.1.15 and 8.0.7. [1] The vendor also advises a mitigation: "Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA. If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Elliptic Curve DSA algorithm as a safer alternative. In addition, Palo Alto Networks has released content update 757 which includes a vulnerability signature ("TLS Network Security Protocol Information Disclosure Vulnerability - ROBOT", #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway." [1] REFERENCES [1] Palo Alto bulletin: (high) ROBOT attack against PAN-OS (PAN-SA-2017-0032) https://securityadvisories.paloaltonetworks.com/Home/Detail/117 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqib3ox+lLeg9Ub1AQhk8RAAi3s7kqd1fZ+qrafGsUUe1YRAXw7Xg2ZT uXyBwWQoXWfg8ZdXWuyr9GsZY3GGxtOU1gst9vf8KsAj4Qf8W/hqPmaKjbMxQp3B 6e354x58R/oqKiEt4S2bxSMkQd+/PX1A8eAqVsqN5eEfP+08bzwBWtr2281DvC6K bMm04j8EoQAsB2zYR/Z5e+VLl5yqfqrnDT/Y1gcDFgHsCDcDa86OKlxe01vWHGCT b/xqMiTVmN4il5KcoQvC5p6FZsboJ8AZd8Bwtb4QSbqKU/o65C2dkBNEFNoUV+Yc sgh8041B63/+R1csmx8SrQ8tnZdwkA+nBbznNnE2fHhuN4YDwIEjnKqMuzGBq+VA cMOuMLg/EtRY9BVdLpX+R7DnC3p4h1SyZKFOaEv544q6S51VDxXHtrxUUkCbpptI eO3vmJ/B0ZV8jBZfiU64t1qk/dhxQN6gbEc5nIEF2od2QjuzoUIcJDDC6ZAqfAmB 1KnWjDNdwLrTtm+wJKK2ltnK9M6AUs/xy/yh/KqpuVtgVbCm042eaHSv9vr7Ory6 AIzm/xkTeWu1DsLU6j4BGNelWHHschX4j00xdz58Bro0hjPUKEgtZzq/6JKe1s6k D6q8MPuo3pMMkAR6hanmtutaWfX/CbcxWC29Fbu1qW/8qpxDbe7pxAa4BtDguMPj Bt0jAJd8bes= =y18w -----END PGP SIGNATURE-----