Another fixed issue in the just released PANOS version 6.1.2 from Palo Alto Networks is bug ID 71321: “Removed support for SSL 3.0 from the GlobalProtect gateway, GlobalProtect portal, and Captive Portal due to CVE-2014-3566 (POODLE).” I scanned my lab unit before (6.1.1) and after the OS upgrade (6.1.2) and here are the results.
Once more I am using the Qualys SSL Server Test to test the TLS status of my services, in this case, the Palo Alto GlobalProtect login page. Here are the two results before and after the update to version 6.1.2. Since the previous version was vulnerable to the “Padding Oracle On Downgraded Legacy Encryption” attack, the overall rating was degraded to F.
Though it is nice that the TLS connections to the Palo Alto firewall are not vulnerable to these types of attacks anymore, I would prefer to choose the protocols and ciphers that are used on the server, and not only to rely on the default Palo Alto settings. E.g., there is no single cipher available that supports Perfect Forward Secrecy. Oh oh.
One thought on “Palo Alto PANOS 6.1.2: No more SSLv3/POODLE”
PANW also does not support PFS in inbound ssl decryption because it lacks reverse proxy techniques for this kind of decryption, so we always need external resources to accomplish that. ;-(