App-ID Cache Poisoning (PAN-SA-2013-0001)

Last revised: 01/07/2013


An evasion technique that takes advantage of the App-ID cache function has recently been published. In certain circumstances, a knowledgeable user can bypass security policy that restricts the use of certain applications by sending numerous specially crafted requests over the network in order to poison the firewall’s App-ID cache.  This can result in the use of a blocked application for a period of time. If the App-ID cache pollution evasion technique is a potential problem for your network, we recommend using one or both of the mitigation steps noted below while we further enhance the App-ID cache feature to resist all possible pollution techniques. (Ref #47195)

Severity: Medium

This issue affects the ability of the firewall to block certain applications when specially crafted requests are passed through the firewall.

Products Affected

All versions of PAN-OS 5.0.1 and earlier.

Available Updates

PAN-OS 5.0.2 and later; PAN-OS 4.1.11 and later; PAN-OS 4.0.14 and later.

Workarounds and Mitigations

Upgrade to the available updates for the 5.0, 4.1, and 4.0 PAN-OS releases. This update changes the way the App-ID cache is used to prevent App-ID cache poisoning. Additionally, Palo Alto Networks recommends using the “application-default” or specific ports in the service field of the security policies. This prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Many of the evasion variants observed using the App-ID cache pollution would have failed if “application-default” had been used in the security policies. All security rules with “any” in the service field should be double-checked and in most cases, should be modified to use a specific port or “application-default”. Note that the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.