Morten Marstrander

**Name of the Vulnerable Software and Affected Versions** Cisco Web Security Appliance (affected versions not specified) Cisco Firepower Threat Defense (affected versions not specified) Snort detection engine (affected versions not specified) **Description** A vulnerability in Server Name Identification (SNI) request filtering could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. This issue is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks. **Recommendations** For Cisco Web Security Appliance, consider disabling the SNI request filtering feature until a patch is available. For Cisco Firepower Threat Defense, restrict access to the SSL handshake to minimize the risk of exploitation. For Snort detection engine, avoid using the SSL client hello packet in the affected filtering technology until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions prior to 10.1 **Description** The PAN-OS URL filtering feature does not consider the Server Name Indication (SNI) field within the TLS Client Hello handshake when SSL/TLS Forward Proxy Decryption mode is enabled. This allows a compromised host in a protected network to evade security policies that use URL filtering on a firewall configured with SSL Decryption in the Forward Proxy mode. A malicious actor can use this technique to evade detection of communication on the TLS handshake phase between a compromised host and a remote malicious server. This issue has a low impact on the integrity of the firewall because it fails to enforce a policy on certain traffic that should have been blocked. Palo Alto Networks is not aware of any malware that uses this technique to exfiltrate data. **Recommendations** For PAN-OS versions prior to 10.1, consider enabling CTD inspection in the appliance configuration to mitigate this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability for versions prior to 10.1 without CTD inspection enabled.