SSL Vulnerability Non-Detection Behavior is Seen when Inbound SSL Decryption Policy is Set
0
Created On 09/26/18 13:44 PM - Last Modified 07/19/22 23:08 PM
Resolution
Issue
When configuring settings (with a normal security policy whether single VSYS or multiple VSYS) it is set together with Inbound SSL Decryption policy, detection of SSL relevant vulnerability by the security profile (vulnerability) failed.
Cause
After the inbound SSL decryption is set, the threat engine only sees decrypted data and does not have a chance to see the SSL version number (SSL3.0), which is in the SSL handshake hello packets. So the SSL v3 vulnerability is not identified in this setting.
Details
The vulnerabilities listed below apply to this scenario:
- SSL v3 due to the Poodle SSL vulnerability (CVE-2014-3566)
https://threatvault.paloaltonetworks.com (Threat ID 36815)
https://live.paloaltonetworks.com/t5/Threat-Articles/SSL-3-0-MITM-Attack-CVE-2014-3566-PAN-SA-2014-0... - Poodle Bites TLS (CVS-2014-8730)
https://threatvault.paloaltonetworks.com (Threat ID 37144)
https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls
Workaround
Deactivate the inbound SSL decryption policy by following the steps below:
- From the WebGUI, go to Policies and click Decryption on left side menu
- Choose a specific “Inbound SSL Decryption Policy”
- Click the Disable button
- Commit
owner: khogi