Palo Alto Networks Security Advisories / CVE-2017-17841

CVE-2017-17841 ROBOT attack against PAN-OS


047910
Severity 5.9 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE

Description

ROBOT is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key. (PAN-89936 / CVE-2017-17841)

While SSL Decryption and GlobalProtect are susceptible to this issue, PAN-OS can be protected with use of content update 757, and further mitigated through the configuration changes described below under "Workarounds and Mitigations".

This issue affects PAN-OS 6.1.19 and earlier, PAN-OS 7.1.14 and earlier, PAN-OS 8.0.6-h3 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 8.0<= 8.0.6-h3>= 8.0.7
PAN-OS 7.1<= 7.1.14>= 7.1.15
PAN-OS 6.1<= 6.1.19>= 6.1.20

Severity: MEDIUM

CVSSv3.1 Base Score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Weakness Type

Solution

This issue is fixed in PAN-OS 6.1.20, PAN-OS 7.1.15, PAN-OS 8.0.7, and all later PAN-OS versions.

Workarounds and Mitigations

Customers running PAN-OS 7.1 or later can configure their SSL Decryption profiles to disable RSA. If the GlobalProtect server certificate is using RSA, customers running PAN-OS 7.1 or later can opt to replace this certificate with one implementing the Elliptic Curve DSA algorithm as a safer alternative. In addition, Palo Alto Networks has released content update 757 which includes a vulnerability signature ("TLS Network Security Protocol Information Disclosure Vulnerability - ROBOT", #38407) that can be used as an interim mitigation to protect PAN-OS devices until the software is upgraded. For complete protection, signature #38407 must be applied upstream from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway.

Timeline

Clarified that this issue is fixed in all later PAN-OS versions.
© 2024 Palo Alto Networks, Inc. All rights reserved.