Palo Alto Networks Security Advisories / CVE-2013-5663

CVE-2013-5663 App-ID Cache Poisoning


047910
Severity 3.7 · LOW
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact LOW
User Interaction NONE
Availability Impact NONE

Description

An evasion technique that takes advantage of the App-ID cache function has recently been published. In certain circumstances, a knowledgeable user can bypass security policy that restricts the use of certain applications by sending numerous specially crafted requests over the network in order to poison the firewall’s App-ID cache.  This can result in the use of a blocked application for a period of time. If the App-ID cache pollution evasion technique is a potential problem for your network, we recommend using one or both of the mitigation steps noted below while we further enhance the App-ID cache feature to resist all possible pollution techniques. (Ref #47195)

This issue affects the ability of the firewall to block certain applications when specially crafted requests are passed through the firewall.

This issue affects All versions of PAN-OS 5.0.1 and earlier.

Product Status

VersionsAffectedUnaffected
PAN-OS 5.0<= 5.0.1>= 5.0.2
PAN-OS 4.1None>= 4.1.11
PAN-OS 4.0None>= 4.0.14

Severity: LOW

CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Weakness Type

CWE-264

Solution

PAN-OS 5.0.2 and later; PAN-OS 4.1.11 and later; PAN-OS 4.0.14 and later.

Workarounds and Mitigations

Upgrade to the available updates for the 5.0, 4.1, and 4.0 PAN-OS releases. This update changes the way the App-ID cache is used to prevent App-ID cache poisoning.

Additionally, Palo Alto Networks recommends using the “application-default” or specific ports in the service field of the security policies. This prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Many of the evasion variants observed using the App-ID cache pollution would have failed if “application-default” had been used in the security policies. All security rules with “any” in the service field should be double-checked and in most cases, should be modified to use a specific port or “application-default”. Note that the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.

Acknowledgments

Palo Alto Networks thanks None for discovering and reporting the issue.
© 2024 Palo Alto Networks, Inc. All rights reserved.