CVE-2020-2035

PAN-OS: URL filtering policy is not enforced on TLS handshakes for decrypted HTTPS sessions

Severity Score

3.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within the TLS Client Hello handshake. This allows a compromised host in a protected network to evade any security policy that uses URL filtering on a firewall configured with SSL Decryption in the Forward Proxy mode. A malicious actor can then use this technique to evade detection of communication on the TLS handshake phase between a compromised host and a remote malicious server. This technique does not increase the risk of a host being compromised in the network. It does not impact the confidentiality or availability of a firewall. This is considered to have a low impact on the integrity of the firewall because the firewall fails to enforce a policy on certain traffic that should have been blocked. This issue does not impact the URL filtering policy enforcement on clear text or encrypted web transactions. This technique can be used only after a malicious actor has compromised a host in the protected network and the TLS/SSL Decryption feature is enabled for the traffic that the attacker controls. Palo Alto Networks is not aware of any malware that uses this technique to exfiltrate data. This issue is applicable to all current versions of PAN-OS. This issue does not impact Panorama or WF-500 appliances.

Cuando se ha configurado el modo de descifrado SSL/TLS Forward Proxy para descifrar las transacciones web, la función de filtrado de URL de PAN-OS inspecciona las cabeceras HTTP Host y URL Path para la aplicación de políticas en las transacciones web HTTPS descifradas, pero no tiene en cuenta el campo Server Name Indication (SNI) dentro del handshake TLS Client Hello. Esto permite que un host comprometido en una red protegida evada cualquier política de seguridad que utilice el filtrado de URL en un cortafuegos configurado con descifrado SSL en el modo de proxy de reenvío. Un actor malicioso puede entonces utilizar esta técnica para evadir la detección de la comunicación en la fase de handshake TLS entre un host comprometido y un servidor remoto malicioso. Esta técnica no aumenta el riesgo de que un host se vea comprometido en la red. No afecta a la confidencialidad ni a la disponibilidad de un cortafuegos. Se considera que tiene un impacto bajo en la integridad del cortafuegos porque éste no aplica una política sobre cierto tráfico que debería haber sido bloqueado. Este problema no afecta a la aplicación de la política de filtrado de URL en las transacciones web de texto claro o cifrado. Esta técnica sólo puede utilizarse después de que un actor malicioso haya comprometido un host en la red protegida y la función de descifrado TLS/SSL esté habilitada para el tráfico que el atacante controla. Palo Alto Networks no tiene conocimiento de ningún malware que utilice esta técnica para exfiltrar datos. Este problema es aplicable a todas las versiones actuales de PAN-OS. Este problema no afecta a los dispositivos Panorama o WF-500

*Credits: Palo Alto Networks thanks Morten Marstrander and Matteo Malvica from mnemonic AS for discovering and reporting this issue.

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-04 CVE Reserved
2020-08-12 CVE Published
2023-03-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (2)

URL	Tag	Source
https://www.mnemonic.no/blog/introducing-snicat	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.paloaltonetworks.com/CVE-2020-2035	2021-10-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				*		-		Affected