CVE-2023-48795 Impact of Terrapin SSH Attack
The Terrapin attack allows an attacker with the ability to intercept SSH traffic on the PAN-OS management network (machine-in-the-middle or MitM attacks) to downgrade connection security and force the usage of less secure client authentication algorithms when an administrator connects to PAN-OS software.
This issue does not impact PAN-OS software configured to exclusively use strong cipher algorithms or configured to operate in FIPS-CC mode, which removes support for the impacted algorithms.
Additional information and technical details about the attack can be found at https://terrapin-attack.com.
|Devices using affected ciphers
|Devices not using affected ciphers
Required Configuration for Exposure
PAN-OS software configured with support for the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms (ciphers with -etm in the name) enables the Terrapin Attack and are impacted by this issue.
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Customers can resolve this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:
To validate that the affected ciphers and algorithms are no longer enabled, please see the guidance at: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE
This issue is completely resolved by following the recommended best practices for deploying PAN-OS (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices). No additional PAN-OS fixes are planned in maintenance releases at this time.