CVE-2020-2035 : What You Need to Know

A vulnerability in PAN-OS allows a compromised host to evade URL filtering policies on decrypted HTTPS sessions, impacting Palo Alto Networks' products.

Understanding CVE-2020-2035

This CVE highlights a situation where URL filtering policies are not enforced on TLS handshakes for decrypted HTTPS sessions.

What is CVE-2020-2035?

When SSL/TLS Forward Proxy Decryption is configured, the PAN-OS URL filtering feature inspects HTTP Host and URL path headers but overlooks the Server Name Indication (SNI) field in the TLS Client Hello handshake. This evasion technique can be exploited by a compromised host to bypass security policies.

The Impact of CVE-2020-2035

Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CVSS Base Score: 3 (Low)

Technical Details of CVE-2020-2035

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The issue allows a compromised host to evade URL filtering policies on decrypted HTTPS sessions, potentially leading to policy enforcement bypass.

Affected Systems and Versions

Product: PAN-OS
Vendor: Palo Alto Networks
Affected Versions: 8.1., 9.0., 9.1., 10.0., 10.1.*

Exploitation Mechanism

The vulnerability arises when SSL/TLS Forward Proxy Decryption is enabled, allowing a compromised host to evade URL filtering policies.

Mitigation and Prevention

Learn how to mitigate and prevent exploitation of this vulnerability.

Immediate Steps to Take

Review the provided KB article for background and mitigation options.
Implement workarounds to enforce URL filtering policies on TLS handshakes.
Do not disable SSL/TLS Decryption as a workaround.

Long-Term Security Practices

Separate SSL/TLS Decryption and URL Filtering functions in the traffic chain.
Consider using an endpoint protection solution like Cortex XDR agent.

Patching and Updates

Palo Alto Networks is enhancing inspection engines to address the vulnerability.
No PAN-OS updates are currently available for this issue.