[Palo Alto Networks Security Advisories] CVE-2023-48795 Impact of Terrapin SSH Attack

July 15, 2025

Palo Alto Networks Security Advisories /CVE-2023-48795

CVE-2023-48795 Impact of Terrapin SSH Attack

UrgencyMODERATE

047910
Severity6 ·MEDIUM
Exploit MaturityN/A
Response EffortLOW
RecoveryAUTOMATIC
Value DensityDIFFUSE
Attack VectorNETWORK
Attack ComplexityHIGH
Attack RequirementsPRESENT
AutomatableNO
User InteractionPASSIVE
Product ConfidentialityNONE
Product IntegrityHIGH
Product AvailabilityNONE
Privileges RequiredNONE
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE
CVEJSONCSAF
Published2024-01-09
Updated2025-07-15
ReferencePAN-241547,CGSDW-19542
Discoveredexternally

Description

The Terrapin attack allows an attacker with the ability to intercept SSH traffic on affected Palo Alto Networks products (through machine-in-the-middle or MitM attacks) to downgrade connection security and force the usage of less secure client authentication algorithms when an administrator or user connects to the product.

This issue does not impact the SSH server component of PAN-OS software configured to exclusively use strong cipher algorithms or configured to operate in FIPS-CC mode, which removes support for the impacted algorithms.

When using the PAN-OS SSH client to connect to an SSH server that supports the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms, the traffic is susceptible to this attack.

This issue affects Prisma SD-WAN ION devices.

Additional information and technical details about the attack can be found at https://terrapin-attack.com.

Product Status

VersionsAffectedUnaffected
PAN-OS 11.1< 11.1.3>= 11.1.3
PAN-OS 11.0< 11.0.6>= 11.0.6
PAN-OS 10.2< 10.2.11>= 10.2.11
PAN-OS 10.1AllNone
PAN-OS 9.1AllNone
PAN-OS 9.0AllNone

Required Configuration for Exposure

The SSH server in PAN-OS software configured with support for the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms (ciphers with -etm in the name) enables the Terrapin Attack and is impacted by this issue.

Severity:MEDIUM, Suggested Urgency:MODERATE

CVSS-BT:6.0 /CVSS-B:6.0 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-354 Improper Validation of Integrity Check Value

Solution

For PAN-OS SSH server

Customers can resolve this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages:

To validate the affected ciphers and algorithms are no longer enabled, please see the guidance on checking ciphers enabled on PAN-OS.

This issue is completely resolved by following the recommended best practices for deploying PAN-OS.

No additional PAN-OS fixes are planned in maintenance releases at this time. 

For PAN-OS SSH client

The PAN-OS SSH client is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions.

For Prisma SD-WAN ION

This issue is fixed in Prisma SD-WAN ION 5.6.19, Prisma SD-WAN ION 6.1.8, Prisma SD-WAN ION 6.3.2, and all later Prisma SD-WAN ION versions. If you are using the Prisma SD-WAN ION 6.2 series, evaluate moving to another Prisma SD-WAN ION series number based on the Prisma SD-WAN ION Software Release Guidelines.

Workarounds and Mitigations

If using the SSH client provided with PAN-OS to connect from the firewall to an external SSH server, ensure that the SSH server does not support the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms.

CPE Applicability

    • cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)9.0.0
    • ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)9.1.0
    • ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.1.0
    • ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.0 and up to (excluding)10.2.11
    • ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.0.0 and up to (excluding)11.0.6
    • ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.3
  • or
    • cpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)5.6.0 and up to (excluding)5.6.19
    • ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.1.0 and up to (excluding)6.1.8
    • ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.2
    • ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.3.0 and up to (excluding)6.3.2

Timeline

Improved readability, updated status for PAN-OS 10.1
Updated ETA for PAN-OS 10.1.15
Updated Product Status table
Added Prisma SD-WAN ION impact and PAN-OS SSH client impact
Clarified solution
Initial publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

image

[AKIRA] – Ransomware Victim: Acetificio Andrea Milano

July 16, 2025
image

[AKIRA] – Ransomware Victim: PEPRO

July 16, 2025
image

[AKIRA] – Ransomware Victim: Title XI

July 16, 2025
image

CVE Alert: CVE-2025-50094

July 16, 2025
image

CVE Alert: CVE-2025-50095

July 16, 2025