Palo Alto Networks Security Advisories / CVE-2014-8730

CVE-2014-8730 Padding-oracle attack on TLS CBC cipher mode

047910
Severity 3.7 · LOW
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required LOW
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

Description

A vulnerability affecting some implementations of TLS 1.x with CBC cipher modes has been discovered that allows an attacker to decrypt some encrypted contents under certain conditions (CVE-2014-8730). This padding-oracle attack on TLS CBC cipher modes is a variant of the POODLE vulnerability, commonly known as “POODLE Bites”. This issue is confirmed to affect PAN-OS implementation of TLS 1.x. (Ref #72544)

The conditions of successful exploitation are similar to the POODLE and BEAST attacks, which require several conditions to be met for successful exploitation (i.e. the attacker requires a man-in-the-middle position in the network and must also be able to direct the victim client to send many repeated requests to the vulnerable server on behalf of the attacker via scripting, web sockets, or similar mechanism). Due to the conditions required of a successful attack scenario, the risk of exploitation is not particularly high. More information can be found in Microsoft Security Advisory 3009008 (https://technet.microsoft.com/library/security/3009008).

This issue affects PAN-OS 6.1.1 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 6.1<= 6.1.1
PAN-OS 6.0<= 6.0.8
PAN-OS 5.0<= 5.0.15

Severity: LOW

CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Weakness Type

CWE-310

Solution

A patch for the issue described in this bulletin will be made available in a regularly scheduled maintenance update for each supported release of PAN-OS. This bulletin will be updated as the releases are made available.

Workarounds and Mitigations

Customers can enable signature 37144 (“POODLE Bites Vulnerability”) to block attempted TLS sessions using CBC mode on firewall policy securing traffic to sensitive services (e.g. device management). Support for deprecated cipher suites should be disabled on all clients where possible. Device management services should also be restricted to a dedicated vlan or otherwise segmented trusted network to prevent exposure to untrusted hosts where possible.

© 2020 Palo Alto Networks, Inc. All rights reserved.