An evasion technique that takes advantage of the App-ID cache function has recently been published. In certain circumstances, a knowledgeable user can bypass security policy that restricts the use of certain applications by sending numerous specially crafted requests over the network in order to poison the firewall’s App-ID cache. This can result in the use of a blocked application for a period of time. If the App-ID cache pollution evasion technique is a potential problem for your network, we recommend using one or both of the mitigation steps noted below while we further enhance the App-ID cache feature to resist all possible pollution techniques. (Ref #47195)
This issue affects the ability of the firewall to block certain applications when specially crafted requests are passed through the firewall.
This issue affects All versions of PAN-OS 5.0.1 and earlier.
|PAN-OS 5.0||<= 5.0.1||>= 5.0.2|
|PAN-OS 4.1||None||>= 4.1.11|
|PAN-OS 4.0||None||>= 4.0.14|
CVSSv3.1 Base Score: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
PAN-OS 5.0.2 and later; PAN-OS 4.1.11 and later; PAN-OS 4.0.14 and later.
Upgrade to the available updates for the 5.0, 4.1, and 4.0 PAN-OS releases. This update changes the way the App-ID cache is used to prevent App-ID cache poisoning.
Additionally, Palo Alto Networks recommends using the “application-default” or specific ports in the service field of the security policies. This prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Many of the evasion variants observed using the App-ID cache pollution would have failed if “application-default” had been used in the security policies. All security rules with “any” in the service field should be double-checked and in most cases, should be modified to use a specific port or “application-default”. Note that the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.