CVE-2020-2035

Name of the Vulnerable Software and Affected Versions PAN-OS versions prior to 10.1

Description The PAN-OS URL filtering feature does not consider the Server Name Indication (SNI) field within the TLS Client Hello handshake when SSL/TLS Forward Proxy Decryption mode is enabled. This allows a compromised host in a protected network to evade security policies that use URL filtering on a firewall configured with SSL Decryption in the Forward Proxy mode. A malicious actor can use this technique to evade detection of communication on the TLS handshake phase between a compromised host and a remote malicious server. This issue has a low impact on the integrity of the firewall because it fails to enforce a policy on certain traffic that should have been blocked. Palo Alto Networks is not aware of any malware that uses this technique to exfiltrate data.

Recommendations For PAN-OS versions prior to 10.1, consider enabling CTD inspection in the appliance configuration to mitigate this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability for versions prior to 10.1 without CTD inspection enabled.