Palo Alto Networks Security Advisories / CVE-2013-5663

CVE-2013-5663 App-ID Cache Poisoning

047910
Severity 3.7 · LOW
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact LOW
User Interaction NONE
Availability Impact NONE
NVD JSON
Published 2013-01-07
Updated
Reference 47195 PAN-SA-2013-0001

Description

An evasion technique that takes advantage of the App-ID cache function has recently been published. In certain circumstances, a knowledgeable user can bypass security policy that restricts the use of certain applications by sending numerous specially crafted requests over the network in order to poison the firewall’s App-ID cache.  This can result in the use of a blocked application for a period of time. If the App-ID cache pollution evasion technique is a potential problem for your network, we recommend using one or both of the mitigation steps noted below while we further enhance the App-ID cache feature to resist all possible pollution techniques. (Ref #47195)

This issue affects the ability of the firewall to block certain applications when specially crafted requests are passed through the firewall.

This issue affects All versions of PAN-OS 5.0.1 and earlier.

Product Status

VersionsAffectedUnaffected
PAN-OS 5.0<= 5.0.1>= 5.0.2
PAN-OS 4.1None>= 4.1.11
PAN-OS 4.0None>= 4.0.14

Severity: LOW

CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Weakness Type

CWE-264

Solution

PAN-OS 5.0.2 and later; PAN-OS 4.1.11 and later; PAN-OS 4.0.14 and later.

Workarounds and Mitigations

Upgrade to the available updates for the 5.0, 4.1, and 4.0 PAN-OS releases. This update changes the way the App-ID cache is used to prevent App-ID cache poisoning.

Additionally, Palo Alto Networks recommends using the “application-default” or specific ports in the service field of the security policies. This prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Many of the evasion variants observed using the App-ID cache pollution would have failed if “application-default” had been used in the security policies. All security rules with “any” in the service field should be double-checked and in most cases, should be modified to use a specific port or “application-default”. Note that the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.

Acknowledgments

None
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.