CVE-2025-0123

Solution:

• This issue is fixed in PAN-OS 10.1.14-h13, PAN-OS 10.2.15, PAN-OS 11.1.8, PAN-OS 11.2.6, and all later PAN-OS versions. Version Minor Version Suggested Solution PAN-OS 11.2 11.2.0 through 11.2.5Upgrade to 11.2.6 or later. PAN-OS 11.111.1.0 through 11.1.7 Upgrade to 11.1.8 or later.PAN-OS 11.0 (EoL) Upgrade to a supported fixed version. PAN-OS 10.2 10.2.0 through 10.2.14 Upgrade to 10.2.15 or later. PAN-OS 10.1 10.1.0 through 10.1.14-h11 Upgrade to 10.1.14-h13 or later. All other older unsupported PAN-OS versions Upgrade to a supported fixed version. To fully remediate risk, you must delete all pre-existing packet capture files stored on the firewall after you upgrade to a fixed PAN-OS version. This task can be performed through the PAN-OS web interface or through the PAN-OS CLI.Using the Web Interface: 1. Select Monitor > Packet Capture > Captured Files > (Select All) and Delete the files. 2. Select Yes when prompted by the confirmation dialog.Using the PAN-OS CLI: 1. Enter the following operational command: > delete debug-filter file *  2. A confirmation prints to the terminal and indicates that all packet capture files were successfully deleted from the firewall: successfully removed *

Workaround:

• Mitigation: In a Palo Alto Networks firewall, you can configure the decryption profile to strip ALPN (Application-Layer Protocol Negotiation) from the TLS handshake, which is used to negotiate the application protocol (e.g., HTTP/2 or HTTP/1.1) for the secured connection. When ALPN is absent, the following behaviors can occur: * Firewall behavior—With no ALPN value available, the firewall cannot perform HTTP/2 inspection. It either forces the connection to downgrade to HTTP/1.1 (by letting the client and server negotiate a fallback) or, if that downgrade isn’t possible, it can classify the traffic as unknown-tcp and potentially affects your security policy rules and application identification. * Client behavior—Most modern web browsers rely on ALPN to negotiate HTTP/2. If ALPN is missing, the client typically falls back to HTTP/1.1. * Server behavior—If ALPN is absent, the server can assume that the client supports only HTTP/1.1 and downgrades the connection accordingly. If the server enforces HTTP/2-only connections, then it may reject the handshake and cause a connection failure. Consequently, without ALPN, the Palo Alto Networks firewall does not inspect HTTP/2 connections, which prevents decrypted HTTP/2 (clear-text) traffic exposure to firewall administrators. You can review how to strip ALPN and disable HTTP/2 inspection for targeted traffic in the App-ID and HTTP/2 https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/http2#:~:text=Disable%20HTTP%2F2%20inspection%20for%20targeted%20traffic. inspection technical documentation. Additional mitigation: The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . Specifically, you should restrict management interface access to only trusted internal IP addresses. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-ac... https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and detailed technical documentation:  https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr... https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices