Informational
The Terrapin attack allows an attacker with the ability to intercept SSH traffic on the PAN-OS management network (machine-in-the-middle or MitM attacks) to downgrade connection security and force the usage of less secure client authentication algorithms when an administrator connects to PAN-OS software.
This issue does not impact PAN-OS software configured to exclusively use strong cipher algorithms or configured to operate in FIPS-CC mode, which removes support for the impacted algorithms.
Additional information and technical details about the attack can be found at https://terrapin-attack.com.
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | Devices using affected ciphers | Devices not using affected ciphers |
PAN-OS software configured with support for the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms (ciphers with -etm in the name) enables the Terrapin Attack and are impacted by this issue.
Palo Alto Networks is not aware of any malicious exploitation of this issue.
CWE-354 Improper Validation of Integrity Check Value
Customers can resolve this issue by removing support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:
- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2
This issue is completely resolved by following the recommended best practices for deploying PAN-OS (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices). No additional PAN-OS fixes are planned in maintenance releases at this time.
Vulmon