CVE-2023-48795 Impact of Terrapin SSH Attack
Description
The Terrapin attack allows an attacker with the ability to intercept SSH traffic on affected Palo Alto Networks products (through machine-in-the-middle or MitM attacks) to downgrade connection security and force the usage of less secure client authentication algorithms when an administrator or user connects to the product.
This issue does not impact the SSH server component of PAN-OS software configured to exclusively use strong cipher algorithms or configured to operate in FIPS-CC mode, which removes support for the impacted algorithms.
When using the PAN-OS SSH client to connect to an SSH server that supports the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms, the traffic is susceptible to this attack.
This issue affects Prisma SD-WAN ION devices.
Additional information and technical details about the attack can be found at https://terrapin-attack.com.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 9.0 | All | None |
| PAN-OS 9.1 | All | None |
| PAN-OS 10.1 | All | None |
| PAN-OS 10.2 | < 10.2.14 | >= 10.2.14 ¹ |
| PAN-OS 11.0 | All | None ² |
| PAN-OS 11.1 | < 11.1.8 | >= 11.1.8 ¹ |
| PAN-OS 11.2 | < 11.2.8 | >= 11.2.8 |
| PAN-OS 12.1 | None | All |
¹ While PAN-OS 10.2.11, and PAN-OS 11.1.3 addressed the SSH client vulnerability, PAN-OS 10.2.14 and PAN-OS 11.1.8 introduces a formal code fix for the SSH server via kex-strict support, removing the need for manual configuration workarounds.
² PAN-OS 11.0 reached End-of-Life (EOL) on November 17, 2024. While the SSH client fix was included in version 11.0.6, no further maintenance releases are planned to address the SSH server component (kex-strict support). Customers on this version must use the Configuration Workaround for PAN-OS SSH server, or upgrade to a supported maintenance release (e.g., 11.1.8 or later).
Required Configuration for Exposure
The SSH server in PAN-OS software configured with support for the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms (ciphers with -etm in the name) enables the Terrapin Attack and is impacted by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 6.0 / CVSS-B: 6.0 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-354 Improper Validation of Integrity Check Value
Solution
For PAN-OS SSH server
The PAN-OS SSH server is fixed in PAN-OS 10.2.14, PAN-OS 11.1.8, PAN-OS 11.2.8, and all later PAN-OS versions. These versions implement support for the Strict Key Exchange (kex-strict) extension, which prevents the prefix truncation required for the Terrapin attack. Customers are still encouraged to follow best practices for configuring strong ciphers and algorithms.For PAN-OS SSH client
The PAN-OS SSH client is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions.
For Prisma SD-WAN ION
This issue is fixed in Prisma SD-WAN ION 5.6.19, Prisma SD-WAN ION 6.1.8, Prisma SD-WAN ION 6.3.2, and all later Prisma SD-WAN ION versions. If you are using the Prisma SD-WAN ION 6.2 series, evaluate moving to another Prisma SD-WAN ION series number based on the Prisma SD-WAN ION Software Release Guidelines.
Workarounds and Mitigations
For PAN-OS SSH server
Customers can workaround this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:- Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0
- Refresh SSH Keys and Configure Key Options for Management Interface Connection
To validate the affected ciphers and algorithms are no longer enabled, please see the guidance on checking ciphers enabled on PAN-OS.
This issue is completely mitigated by following the recommended best practices for deploying PAN-OS.
For PAN-OS SSH client
If using the SSH client provided with PAN-OS to connect from the firewall to an external SSH server, ensure that the SSH server does not support the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms.CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)9.0.0
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)9.1.0
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.1.0
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.0 and up to (excluding)10.2.14
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.0.0
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.8
- or
- cpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)5.6.0 and up to (excluding)5.6.19
- ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.1.0 and up to (excluding)6.1.8
- ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.2
- ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.3.0 and up to (excluding)6.3.2