Palo Alto Networks Security Advisories / CVE-2011-4108

CVE-2011-4108 OpenSSL Plain Text Recovery Attack Vulnerability

047910
Severity 3.7 · LOW
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE

Description

The OpenSSL library implementation is vulnerable to a plain text recovery attack by performing timing analysis of the time required to decrypt encrypted data. A detailed report of this issue is available at http://www.isg.rhul.ac.uk/~kp/dtls.pdf. (Ref #36017)

This vulnerability can theoretically result in plain text recovery of a web management UI session, leading to possible session hijack and control of the device.

This issue affects PAN-OS 4.1.2 and earlier; PAN-OS 4.0.9 and earlier; PAN-OS 3.1.11 and earlier.

Product Status

VersionsAffectedUnaffected
PAN-OS 4.1<= 4.1.2>= 4.1.3
PAN-OS 4.0<= 4.0.9>= 4.0.10
PAN-OS 3.1<= 3.1.11>= 3.1.12

Severity: LOW

CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness Type

CWE-310 Cryptographic Issues

Solution

PAN-OS 4.1.3 and later; PAN-OS 4.0.10 and later; PAN-OS 3.1.12 and later.

Workarounds and Mitigations

This issue affects the management interface of the device. Security appliance management best practices dictate that the management interface be isolated and strictly limited only to security administration personnel.

© 2020 Palo Alto Networks, Inc. All rights reserved.