CVE-2020-1968

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 1.0.2v PAN-OS software versions earlier than 10.0

Description The issue is related to a flaw in the TLS specification that can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. This would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites.

Recommendations For OpenSSL versions 1.0.2 through 1.0.2v, update to version 1.0.2w to fix the issue. For PAN-OS software versions earlier than 10.0, update to version 10.0 or later to fix the issue. As a temporary workaround, consider disabling the use of DH ciphersuites in TLS connections until a patch is available. Restrict access to the affected components, such as SSL Forward-Proxy, SSL Inbound Inspection, GlobalProtect Portal, GlobalProtect Gateway, and GlobalProtect Clientless VPN, to minimize the risk of exploitation.