{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"Impact of Terrapin SSH Attack"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2023-48795","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:32:43.478Z","generator":{"date":"2026-04-11T00:32:43.478Z","engine":{"name":"vulnogram","version":"0.1.0-rc1"}},"id":"CVE-2023-48795","initial_release_date":"2024-01-09T01:30:00.000Z","revision_history":[{"number":"1","date":"2024-01-08T17:30:00.000Z","summary":"Initial publication"},{"number":"2","date":"2024-01-16T17:30:00.000Z","summary":"Clarified solution"},{"number":"3","date":"2024-03-29T12:00:00.000Z","summary":"Added Prisma SD-WAN ION impact and PAN-OS SSH client impact"},{"number":"4","date":"2024-10-14T12:50:00.000Z","summary":"Updated Product Status table"},{"number":"5","date":"2024-12-20T11:15:00.000Z","summary":"Updated ETA for PAN-OS 10.1.15"},{"number":"6","date":"2025-07-15T14:25:00.000Z","summary":"Improved readability, updated status for PAN-OS 10.1"},{"number":"7","date":"2026-03-09T18:00:00.000Z","summary":"Updated fix versions for PAN-OS SSH server; added support for Strict Key Exchange (kex-strict)."}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[{"name":"PAN-OS","category":"product_name","branches":[{"category":"product_version_range","name":"vers:generic/PAN-OS>=9.0.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-371"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=9.1.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-533"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.1.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-118"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<10.2.14","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-535"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.14","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-535"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.0.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-121"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<11.1.8","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-658"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.1.8","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-658"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<11.2.8","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-685"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.2.8","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-685"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=12.1.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-724"}}]},{"name":"Prisma SD-WAN ION","category":"product_name","branches":[{"category":"product_version_range","name":"vers:generic/Prisma SD-WAN ION<5.6.19","product":{"name":"Palo Alto Networks Prisma SD-WAN ION","product_id":"PANW-Prisma-SD-WAN-ION-4"}},{"category":"product_version_range","name":"vers:generic/Prisma SD-WAN ION>=5.6.19","product":{"name":"Palo Alto Networks Prisma SD-WAN ION","product_id":"PANW-Prisma-SD-WAN-ION-4"}},{"category":"product_version_range","name":"vers:generic/Prisma SD-WAN ION<6.1.8","product":{"name":"Palo Alto Networks Prisma SD-WAN ION","product_id":"PANW-Prisma-SD-WAN-ION-5"}},{"category":"product_version_range","name":"vers:generic/Prisma SD-WAN ION>=6.1.8","product":{"name":"Palo Alto Networks Prisma SD-WAN ION","product_id":"PANW-Prisma-SD-WAN-ION-5"}},{"category":"product_version_range","name":"vers:generic/Prisma SD-WAN ION=6.3.2","product":{"name":"Palo Alto Networks Prisma SD-WAN ION","product_id":"PANW-Prisma-SD-WAN-ION-6"}}]}]}]},"vulnerabilities":[{"cve":"CVE-2023-48795","product_status":{"fixed":["PANW-PAN-OS-535","PANW-PAN-OS-658","PANW-PAN-OS-685","PANW-Prisma-SD-WAN-ION-4","PANW-Prisma-SD-WAN-ION-5","PANW-Prisma-SD-WAN-ION-6"],"known_affected":["PANW-PAN-OS-371","PANW-PAN-OS-533","PANW-PAN-OS-118","PANW-PAN-OS-535","PANW-PAN-OS-121","PANW-PAN-OS-658","PANW-PAN-OS-685","PANW-Prisma-SD-WAN-ION-4","PANW-Prisma-SD-WAN-ION-5","PANW-Prisma-SD-WAN-ION-2","PANW-Prisma-SD-WAN-ION-6"],"known_not_affected":["PANW-PAN-OS-724"]},"notes":[{"category":"description","text":"The Terrapin attack allows an attacker with the ability to intercept SSH traffic on affected Palo Alto Networks products (through machine-in-the-middle or MitM attacks) to downgrade connection security and force the usage of less secure client authentication algorithms when an administrator or user connects to the product.\n\nThis issue does not impact the SSH server component of PAN-OS software configured to exclusively use strong cipher algorithms or configured to operate in FIPS-CC mode, which removes support for the impacted algorithms.\n\nWhen using the PAN-OS SSH client to connect to an SSH server that supports the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms, the traffic is susceptible to this attack.\n\nThis issue affects Prisma SD-WAN ION devices.\n\nAdditional information and technical details about the attack can be found at https://terrapin-attack.com."}],"references":[{"category":"external","summary":"NVD - CVE-2023-48795","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48795"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2023-48795","url":"https://security.paloaltonetworks.com/CVE-2023-48795"}],"threats":[{"category":"impact","description":"The Terrapin attack allows an attacker with the ability to intercept SSH traffic on affected Palo Alto Networks products (through machine-in-the-middle or MitM attacks) to downgrade connection security and force the usage of less secure client authentication algorithms when an administrator or user connects to the product.\n\nThis issue does not impact the SSH server component of PAN-OS software configured to exclusively use strong cipher algorithms or configured to operate in FIPS-CC mode, which removes support for the impacted algorithms.\n\nWhen using the PAN-OS SSH client to connect to an SSH server that supports the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms, the traffic is susceptible to this attack.\n\nThis issue affects Prisma SD-WAN ION devices.\n\nAdditional information and technical details about the attack can be found at https://terrapin-attack.com."}],"scores":[{"cvss_v4":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"AUTOMATIC","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"LOW","providerUrgency":"AMBER","exploitMaturity":"NOT_DEFINED","baseSeverity":"MEDIUM","baseScore":6,"threatSeverity":"MEDIUM","threatScore":6,"vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber"},"products":["PANW-PAN-OS-371","PANW-PAN-OS-533","PANW-PAN-OS-118","PANW-PAN-OS-535","PANW-PAN-OS-121","PANW-PAN-OS-658","PANW-PAN-OS-685","PANW-Prisma-SD-WAN-ION-4","PANW-Prisma-SD-WAN-ION-5","PANW-Prisma-SD-WAN-ION-2","PANW-Prisma-SD-WAN-ION-6"]}]}]}